Windows Analysis Report NEW PO.exe

Overview

General Information

Sample Name: NEW PO.exe
Analysis ID: 511007
MD5: 770f6e88b7bf3fe3aae144a5aa41dc96
SHA1: ed96d179403ab319da62c092a817a5ebeea8c3da
SHA256: 08187be5bb78da6c7751c5d870d46e43e6b4204db6abf2cc2d80e9830fd136ba
Tags: exehawkeye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Yara detected AntiVM3
Malicious sample detected (through community Yara rule)
Detected HawkEye Rat
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Installs a global keyboard hook
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
Machine Learning detection for dropped file
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Checks if the current process is being debugged
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Machine Learning detection for sample
Source: NEW PO.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 16.0.WindowsUpdate.exe.400000.6.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.6.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.1.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.0.WindowsUpdate.exe.400000.21.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.21.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.11.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.11.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.NEW PO.exe.474fbd0.5.unpack Avira: Label: TR/Inject.vcoldi
Source: 7.0.NEW PO.exe.400000.6.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.6.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.26.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.26.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.16.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.16.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.1.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.38.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.38.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.11.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.11.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.4.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack Avira: Label: TR/Inject.vcoldi
Source: 16.0.WindowsUpdate.exe.400000.4.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.6.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.6.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.37.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.37.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.21.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.21.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.16.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.16.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.21.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.21.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack Avira: Label: TR/Inject.vcoldi
Source: 16.0.WindowsUpdate.exe.400000.11.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.11.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.0.WindowsUpdate.exe.400000.16.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.16.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.26.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.26.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.4.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.2.NEW PO.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.2.NEW PO.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473

Compliance:

barindex
Uses 32bit PE files
Source: NEW PO.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: NEW PO.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: anagement.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: wbemcomn.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: NapiNSP.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: jPC:\Windows\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source: Binary string: ml.pdbZ source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb7 source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: ml.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: symbols\dll\System.Runtime.Remoting.pdbd source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: .ni.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source: Binary string: ility.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: msctf.pdb} source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb_ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbY source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: WindowsUpdate.PDB- source: WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.pdb` source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: symbols\dll\mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb. source: NEW PO.exe, 00000007.00000002.366368381.00000000072C0000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: profapi.pdbu source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbq source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbM source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbo source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbG source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: CMemoryExecute.pdb`*" source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: DWrite.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: System.Management.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: NEW PO.exe, 00000007.00000002.366422934.00000000072F0000.00000004.00000001.sdmp
Source: Binary string: gdiplus.pdbk source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: Accessibility.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: comctl32.pdbI source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: xecute.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdb[ source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: Accessibility.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: rawing.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: System.Management.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdbO source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: version.pdb{ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb~o{ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: CMemoryExecute.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb_ source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdbU source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc6.pdbC source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366368381.00000000072C0000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: DWrite.pdbw source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: j0C:\Windows\mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbm source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp
Source: Binary string: m'Xn.pdb source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source: Binary string: wmswsock.pdbS source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wmiutils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb0 source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb= source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: fastprox.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp
Source: Binary string: wbemsvc.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: winrnr.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.340203819.00000000054C0000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: onfiguration.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: pnrpnsp.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: ore.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbi source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: NEW PO.PDB source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366422934.00000000072F0000.00000004.00000001.sdmp
Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: .pdbI source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: .pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wbemprox.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdbA source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: edputil.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp

Spreading:

barindex
May infect USB drives
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 10_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 10_2_00407E0E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 11_2_00406EC3

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_00DEFED9
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 4x nop then jmp 04F7A630h 7_2_04F7A568
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 4x nop then jmp 04F7A630h 7_2_04F7A559
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_04F79EF5
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_04F79A2D
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_04F72B75
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_07A60584
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 16_2_051B2B75

Networking:

barindex
May check the online IP address of the machine
Source: C:\Users\user\Desktop\NEW PO.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe DNS query: name: whatismyipaddress.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49749 -> 194.152.32.10:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49749 -> 194.152.32.10:587
Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.394923991.0000000007AC6000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: NEW PO.exe, 00000007.00000000.319973922.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000002.358784291.0000000004DC2000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.439124560.0000000007B0D000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: WerFault.exe, 0000000D.00000002.358784291.0000000004DC2000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: WindowsUpdate.exe, 00000010.00000002.359439009.0000000002C41000.00000004.00000001.sdmp String found in binary or memory: http://foo.com/foo
Source: NEW PO.exe, 00000007.00000000.317987714.0000000002D82000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.391767128.00000000035AF000.00000004.00000001.sdmp String found in binary or memory: http://mail.inbox.lv
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.394923991.0000000007AC6000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: NEW PO.exe, 00000007.00000000.312878482.0000000002AA1000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.359439009.0000000002C41000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: NEW PO.exe, 00000007.00000000.317839856.0000000002D35000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.399808346.0000000003566000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: NEW PO.exe, 00000007.00000000.317321122.0000000002B0B000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.390946252.000000000333C000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: NEW PO.exe, 00000007.00000000.313150769.0000000002D3E000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.399808346.0000000003566000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com4
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: NEW PO.exe, 00000000.00000002.296655248.000000000336A000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.357016528.0000000002C4C000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: vbc.exe, 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: WindowsUpdate.exe, 00000012.00000000.390946252.000000000333C000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.435099803.00000000032D1000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe, 0000000A.00000003.329276630.000000000059D000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000003.329666537.0000000002871000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415728585.0000000002941000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 0000000A.00000003.329353144.0000000002963000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415661775.0000000002A36000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: unknown DNS traffic detected: queries for: whatismyipaddress.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 28 Oct 2021 12:43:11 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTServer: cloudflareCF-RAY: 6a543f9218035b86-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 28 Oct 2021 12:43:47 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTServer: cloudflareCF-RAY: 6a5440731a042c52-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020
Source: vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp String found in binary or memory: 8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.facebook.com (Facebook)
Source: vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp String found in binary or memory: 8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.yahoo.com (Yahoo)
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp String found in binary or memory: me=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp String found in binary or memory: me=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.yahoo.com (Yahoo)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.318319979.0000000002DF6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.392059792.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.317941479.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.313223758.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.313404967.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.400644306.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.362383688.0000000002B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WerFault.exe PID: 6724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR
Installs a global keyboard hook
Source: C:\Users\user\Desktop\NEW PO.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NEW PO.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Contains functionality to log keystrokes (.Net Source)
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs .Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs .Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs .Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs .Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs .Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs .Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs .Net Code: HookKeyboard
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs .Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs .Net Code: HookKeyboard
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs .Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs .Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs .Net Code: HookKeyboard
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_07A605A4 SetWindowsHookExA 0000000D,00000000,?,? 7_2_07A605A4
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040D674 OpenClipboard,GetLastError,DeleteFileW, 10_2_0040D674
Creates a DirectInput object (often for capturing keystrokes)
Source: WindowsUpdate.exe, 0000000F.00000002.355381618.0000000000FD8000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\NEW PO.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Window created: window name: CLIPBRDWNDCLASS

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
One or more processes crash
Source: C:\Users\user\Desktop\NEW PO.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 2424
Detected potential crypto function
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 0_2_0318D2F4 0_2_0318D2F4
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 0_2_03187758 0_2_03187758
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 0_2_03187748 0_2_03187748
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_00DEB29C 7_2_00DEB29C
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_00DEC310 7_2_00DEC310
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_00DEB290 7_2_00DEB290
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_00DE99D0 7_2_00DE99D0
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_00DEDFD0 7_2_00DEDFD0
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_072BB5A0 7_2_072BB5A0
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_072BB258 7_2_072BB258
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_072B0040 7_2_072B0040
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_072BEF88 7_2_072BEF88
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_072BBE70 7_2_072BBE70
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_072B001F 7_2_072B001F
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_07A62788 7_2_07A62788
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_07A61FD0 7_2_07A61FD0
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_07A634D0 7_2_07A634D0
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_07A6B180 7_2_07A6B180
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00404419 10_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00404516 10_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00413538 10_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_004145A1 10_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040E639 10_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_004337AF 10_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_004399B1 10_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0043DAE7 10_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00405CF6 10_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00403F85 10_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00411F99 10_2_00411F99
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00404DDB 11_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0040BD8A 11_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00404E4C 11_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00404EBD 11_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00404F4E 11_2_00404F4E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_00FBD2F4 15_2_00FBD2F4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_00FB7758 15_2_00FB7758
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_00FB7748 15_2_00FB7748
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_050D0006 15_2_050D0006
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_050D0040 15_2_050D0040
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_050DE928 15_2_050DE928
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_050DE938 15_2_050DE938
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_0114B29C 16_2_0114B29C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_0114C310 16_2_0114C310
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_0114B290 16_2_0114B290
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_011499D0 16_2_011499D0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_0114DFD0 16_2_0114DFD0
Uses 32bit PE files
Source: NEW PO.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 7.0.NEW PO.exe.2d9bffc.45.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.2afd174.43.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.7ee0000.37.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.8660000.48.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.35f1ffc.44.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.8640000.9.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.7ee0000.49.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.7ee0000.10.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.2af76d8.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.332d36c.31.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.8640000.35.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.35e4248.43.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.8640000.47.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2afd174.31.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2d94168.32.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.35e4248.32.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.8660000.10.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.2acb1c8.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.332d36c.42.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.7c60000.36.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2d94168.44.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.7c60000.9.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.32fb060.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2d9bffc.33.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.8660000.36.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.7c60000.48.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.333ba6c.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY