Windows Analysis Report NEW PO.exe

Overview

General Information

Sample Name: NEW PO.exe
Analysis ID: 511007
MD5: 770f6e88b7bf3fe3aae144a5aa41dc96
SHA1: ed96d179403ab319da62c092a817a5ebeea8c3da
SHA256: 08187be5bb78da6c7751c5d870d46e43e6b4204db6abf2cc2d80e9830fd136ba
Tags: exehawkeye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Yara detected AntiVM3
Malicious sample detected (through community Yara rule)
Detected HawkEye Rat
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Installs a global keyboard hook
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
Machine Learning detection for dropped file
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Checks if the current process is being debugged
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Machine Learning detection for sample
Source: NEW PO.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 16.0.WindowsUpdate.exe.400000.6.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.6.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.1.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.0.WindowsUpdate.exe.400000.21.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.21.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.11.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.11.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.NEW PO.exe.474fbd0.5.unpack Avira: Label: TR/Inject.vcoldi
Source: 7.0.NEW PO.exe.400000.6.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.6.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.26.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.26.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.16.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.16.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.1.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.38.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.38.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.11.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.11.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.4.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack Avira: Label: TR/Inject.vcoldi
Source: 16.0.WindowsUpdate.exe.400000.4.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.6.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.6.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.37.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.37.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.21.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.21.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.16.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.16.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.21.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.21.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack Avira: Label: TR/Inject.vcoldi
Source: 16.0.WindowsUpdate.exe.400000.11.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.11.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.0.WindowsUpdate.exe.400000.16.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.16.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.26.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.26.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.4.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.2.NEW PO.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.2.NEW PO.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473

Compliance:

barindex
Uses 32bit PE files
Source: NEW PO.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: NEW PO.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: anagement.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: wbemcomn.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: NapiNSP.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: jPC:\Windows\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source: Binary string: ml.pdbZ source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb7 source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: ml.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: symbols\dll\System.Runtime.Remoting.pdbd source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: .ni.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source: Binary string: ility.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: msctf.pdb} source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb_ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbY source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: WindowsUpdate.PDB- source: WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.pdb` source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: symbols\dll\mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb. source: NEW PO.exe, 00000007.00000002.366368381.00000000072C0000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: profapi.pdbu source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbq source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbM source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbo source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbG source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: CMemoryExecute.pdb`*" source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: DWrite.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: System.Management.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: NEW PO.exe, 00000007.00000002.366422934.00000000072F0000.00000004.00000001.sdmp
Source: Binary string: gdiplus.pdbk source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: Accessibility.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: comctl32.pdbI source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: xecute.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdb[ source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: Accessibility.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: rawing.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: System.Management.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdbO source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: version.pdb{ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb~o{ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: CMemoryExecute.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb_ source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdbU source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc6.pdbC source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366368381.00000000072C0000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: DWrite.pdbw source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: j0C:\Windows\mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbm source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp
Source: Binary string: m'Xn.pdb source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source: Binary string: wmswsock.pdbS source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wmiutils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb0 source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb= source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: fastprox.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp
Source: Binary string: wbemsvc.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: winrnr.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.340203819.00000000054C0000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: onfiguration.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: pnrpnsp.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: ore.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbi source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: NEW PO.PDB source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366422934.00000000072F0000.00000004.00000001.sdmp
Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: .pdbI source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: .pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wbemprox.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdbA source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: edputil.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp

Spreading:

barindex
May infect USB drives
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 10_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 10_2_00407E0E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 11_2_00406EC3

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_00DEFED9
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 4x nop then jmp 04F7A630h 7_2_04F7A568
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 4x nop then jmp 04F7A630h 7_2_04F7A559
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_04F79EF5
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_04F79A2D
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_04F72B75
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_07A60584
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 16_2_051B2B75

Networking:

barindex
May check the online IP address of the machine
Source: C:\Users\user\Desktop\NEW PO.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe DNS query: name: whatismyipaddress.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49749 -> 194.152.32.10:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49749 -> 194.152.32.10:587
Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.394923991.0000000007AC6000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: NEW PO.exe, 00000007.00000000.319973922.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000002.358784291.0000000004DC2000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.439124560.0000000007B0D000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: WerFault.exe, 0000000D.00000002.358784291.0000000004DC2000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: WindowsUpdate.exe, 00000010.00000002.359439009.0000000002C41000.00000004.00000001.sdmp String found in binary or memory: http://foo.com/foo
Source: NEW PO.exe, 00000007.00000000.317987714.0000000002D82000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.391767128.00000000035AF000.00000004.00000001.sdmp String found in binary or memory: http://mail.inbox.lv
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.394923991.0000000007AC6000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: NEW PO.exe, 00000007.00000000.312878482.0000000002AA1000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.359439009.0000000002C41000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: NEW PO.exe, 00000007.00000000.317839856.0000000002D35000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.399808346.0000000003566000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: NEW PO.exe, 00000007.00000000.317321122.0000000002B0B000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.390946252.000000000333C000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: NEW PO.exe, 00000007.00000000.313150769.0000000002D3E000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.399808346.0000000003566000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com4
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: NEW PO.exe, 00000000.00000002.296655248.000000000336A000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.357016528.0000000002C4C000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: vbc.exe, 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: WindowsUpdate.exe, 00000012.00000000.390946252.000000000333C000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.435099803.00000000032D1000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe, 0000000A.00000003.329276630.000000000059D000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000003.329666537.0000000002871000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415728585.0000000002941000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 0000000A.00000003.329353144.0000000002963000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415661775.0000000002A36000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: unknown DNS traffic detected: queries for: whatismyipaddress.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 28 Oct 2021 12:43:11 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTServer: cloudflareCF-RAY: 6a543f9218035b86-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 28 Oct 2021 12:43:47 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTServer: cloudflareCF-RAY: 6a5440731a042c52-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020
Source: vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp String found in binary or memory: 8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.facebook.com (Facebook)
Source: vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp String found in binary or memory: 8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.yahoo.com (Yahoo)
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp String found in binary or memory: me=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp String found in binary or memory: me=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.yahoo.com (Yahoo)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.318319979.0000000002DF6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.392059792.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.317941479.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.313223758.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.313404967.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.400644306.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.362383688.0000000002B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WerFault.exe PID: 6724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR
Installs a global keyboard hook
Source: C:\Users\user\Desktop\NEW PO.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NEW PO.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Contains functionality to log keystrokes (.Net Source)
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs .Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs .Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs .Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs .Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs .Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs .Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs .Net Code: HookKeyboard
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs .Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs .Net Code: HookKeyboard
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs .Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs .Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs .Net Code: HookKeyboard
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_07A605A4 SetWindowsHookExA 0000000D,00000000,?,? 7_2_07A605A4
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040D674 OpenClipboard,GetLastError,DeleteFileW, 10_2_0040D674
Creates a DirectInput object (often for capturing keystrokes)
Source: WindowsUpdate.exe, 0000000F.00000002.355381618.0000000000FD8000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\NEW PO.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Window created: window name: CLIPBRDWNDCLASS

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
One or more processes crash
Source: C:\Users\user\Desktop\NEW PO.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 2424
Detected potential crypto function
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 0_2_0318D2F4 0_2_0318D2F4
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 0_2_03187758 0_2_03187758
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 0_2_03187748 0_2_03187748
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_00DEB29C 7_2_00DEB29C
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_00DEC310 7_2_00DEC310
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_00DEB290 7_2_00DEB290
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_00DE99D0 7_2_00DE99D0
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_00DEDFD0 7_2_00DEDFD0
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_072BB5A0 7_2_072BB5A0
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_072BB258 7_2_072BB258
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_072B0040 7_2_072B0040
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_072BEF88 7_2_072BEF88
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_072BBE70 7_2_072BBE70
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_072B001F 7_2_072B001F
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_07A62788 7_2_07A62788
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_07A61FD0 7_2_07A61FD0
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_07A634D0 7_2_07A634D0
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_07A6B180 7_2_07A6B180
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00404419 10_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00404516 10_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00413538 10_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_004145A1 10_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040E639 10_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_004337AF 10_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_004399B1 10_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0043DAE7 10_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00405CF6 10_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00403F85 10_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00411F99 10_2_00411F99
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00404DDB 11_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0040BD8A 11_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00404E4C 11_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00404EBD 11_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00404F4E 11_2_00404F4E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_00FBD2F4 15_2_00FBD2F4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_00FB7758 15_2_00FB7758
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_00FB7748 15_2_00FB7748
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_050D0006 15_2_050D0006
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_050D0040 15_2_050D0040
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_050DE928 15_2_050DE928
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_050DE938 15_2_050DE938
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_0114B29C 16_2_0114B29C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_0114C310 16_2_0114C310
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_0114B290 16_2_0114B290
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_011499D0 16_2_011499D0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_0114DFD0 16_2_0114DFD0
Uses 32bit PE files
Source: NEW PO.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 7.0.NEW PO.exe.2d9bffc.45.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.2afd174.43.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.7ee0000.37.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.8660000.48.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.35f1ffc.44.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.8640000.9.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.7ee0000.49.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.7ee0000.10.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.2af76d8.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.332d36c.31.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.8640000.35.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.35e4248.43.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.8640000.47.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2afd174.31.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2d94168.32.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.35e4248.32.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.8660000.10.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.2acb1c8.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.332d36c.42.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.7c60000.36.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2d94168.44.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.7c60000.9.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.32fb060.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2d9bffc.33.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.8660000.36.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.7c60000.48.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.333ba6c.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.439571003.0000000008640000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.395440509.0000000008660000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000000.395401347.0000000008640000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.366905535.0000000007C60000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.408411000.0000000008640000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.315132026.0000000007C60000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.315200782.0000000007EE0000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000000.408464737.0000000008660000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.439615340.0000000008660000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.367050092.0000000007EE0000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.320411963.0000000007C60000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00411538 appears 35 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 10_2_00408836
Sample file is different than original file name gathered from version info
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs NEW PO.exe
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs NEW PO.exe
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs NEW PO.exe
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs NEW PO.exe
Source: NEW PO.exe, 00000000.00000002.296655248.000000000336A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTaskNode.dll4 vs NEW PO.exe
Source: NEW PO.exe, 00000000.00000002.295510241.0000000000F70000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCLRSurrogateEnt.exeH vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.290440235.00000000006C0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCLRSurrogateEnt.exeH vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.293949703.0000000000482000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.316678643.0000000000DFA000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs NEW PO.exe
Source: NEW PO.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WindowsUpdate.exe.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: NEW PO.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NEW PO.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW PO.exe.log Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@22/22@4/4
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: NEW PO.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource, 10_2_00411EF8
Source: C:\Users\user\Desktop\NEW PO.exe File read: C:\Users\user\Desktop\NEW PO.exe Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\NEW PO.exe 'C:\Users\user\Desktop\NEW PO.exe'
Source: C:\Users\user\Desktop\NEW PO.exe Process created: C:\Users\user\Desktop\NEW PO.exe C:\Users\user\Desktop\NEW PO.exe
Source: C:\Users\user\Desktop\NEW PO.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\NEW PO.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\NEW PO.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 2424
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412
Source: C:\Users\user\Desktop\NEW PO.exe Process created: C:\Users\user\Desktop\NEW PO.exe C:\Users\user\Desktop\NEW PO.exe Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412
Source: C:\Users\user\Desktop\NEW PO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File created: C:\Users\user\AppData\Local\Temp\bhvF8EB.tmp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 10_2_00415F87
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\NEW PO.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle, 10_2_00411196
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6044
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3996
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\Desktop\NEW PO.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\NEW PO.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: NEW PO.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: NEW PO.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: anagement.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: wbemcomn.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: NapiNSP.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: jPC:\Windows\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source: Binary string: ml.pdbZ source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb7 source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: ml.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: symbols\dll\System.Runtime.Remoting.pdbd source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: .ni.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source: Binary string: ility.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: msctf.pdb} source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb_ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbY source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: WindowsUpdate.PDB- source: WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.pdb` source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: symbols\dll\mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb. source: NEW PO.exe, 00000007.00000002.366368381.00000000072C0000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: profapi.pdbu source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbq source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbM source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbo source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbG source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: CMemoryExecute.pdb`*" source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: DWrite.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: System.Management.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: NEW PO.exe, 00000007.00000002.366422934.00000000072F0000.00000004.00000001.sdmp
Source: Binary string: gdiplus.pdbk source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: Accessibility.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: comctl32.pdbI source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: xecute.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdb[ source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: Accessibility.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: rawing.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: System.Management.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdbO source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: version.pdb{ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb~o{ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: CMemoryExecute.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb_ source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdbU source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc6.pdbC source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366368381.00000000072C0000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: DWrite.pdbw source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: j0C:\Windows\mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbm source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp
Source: Binary string: m'Xn.pdb source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source: Binary string: wmswsock.pdbS source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wmiutils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb0 source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb= source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: fastprox.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp
Source: Binary string: wbemsvc.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: winrnr.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.340203819.00000000054C0000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: onfiguration.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: pnrpnsp.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: ore.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbi source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: NEW PO.PDB source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366422934.00000000072F0000.00000004.00000001.sdmp
Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source: Binary string: .pdbI source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: .pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: wbemprox.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdbA source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source: Binary string: edputil.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 0_2_00EB7A8C pushfd ; ret 0_2_00EB7A8D
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 0_2_0318F278 push esp; retf 0_2_0318F279
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_00607A8C pushfd ; ret 7_2_00607A8D
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_00DEE674 push esp; ret 7_2_00DEE679
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_04F7AC12 pushfd ; ret 7_2_04F7AC21
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00442871 push ecx; ret 10_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00442A90 push eax; ret 10_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00442A90 push eax; ret 10_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00446E54 push eax; ret 10_2_00446E61
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00411879 push ecx; ret 11_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_004118A0 push eax; ret 11_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_004118A0 push eax; ret 11_2_004118DC
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_00787A8C pushfd ; ret 15_2_00787A8D
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_00FBF278 push esp; retf 15_2_00FBF279
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_050D7118 push eax; retn 050Bh 15_2_050D7309
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 15_2_050D8822 push esp; iretd 15_2_050D8829
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_00717A8C pushfd ; ret 16_2_00717A8D
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_011441E3 push edi; retn 0002h 16_2_011441F2
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_0114E673 push esp; ret 16_2_0114E679
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_004422C7
Source: initial sample Static PE information: section name: .text entropy: 7.88873846261
Source: initial sample Static PE information: section name: .text entropy: 7.88873846261

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\NEW PO.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\NEW PO.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Desktop\NEW PO.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_00441975
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.NEW PO.exe.33497d4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.2c2982c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.319982c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.296608068.0000000003321000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.356792870.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: NEW PO.exe, 00000000.00000002.296608068.0000000003321000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.356792870.0000000002C01000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: NEW PO.exe, 00000000.00000002.296608068.0000000003321000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.356792870.0000000002C01000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\NEW PO.exe TID: 7160 Thread sleep time: -42920s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2244 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 6012 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 6492 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 6484 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 6504 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -99640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -99324s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -99140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -99000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -98867s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -98429s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -98325s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -98203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -98094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -97922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -97240s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -97115s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -96984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -96859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -96750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -96625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -96515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -96390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -96281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -96172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408 Thread sleep time: -95890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 5784 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 3348 Thread sleep time: -38078s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 3324 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 3952 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 1860 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4140 Thread sleep time: -36592s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5244 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6808 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 2808 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4564 Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6448 Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -99703s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -99093s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -98928s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -98426s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -98297s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -98156s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -98046s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -97921s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -97703s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -97593s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -97484s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -97375s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -97265s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -97156s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464 Thread sleep time: -97046s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6016 Thread sleep time: -180000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\NEW PO.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 10_2_00408836
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 180000
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\NEW PO.exe Window / User API: threadDelayed 742 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Window / User API: threadDelayed 1030 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Window / User API: threadDelayed 1274
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\NEW PO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 42920 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 140000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 99640 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 99324 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 99140 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 99000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 98867 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 98429 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 98325 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 98203 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 98094 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 97922 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 97240 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 97115 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 96984 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 96859 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 96750 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 96625 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 96515 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 96390 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 96281 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 96172 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 95890 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 38078 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 36592
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 120000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 140000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 99703
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 99093
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 98928
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 98426
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 98297
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 98156
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 98046
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 97921
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 97812
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 97703
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 97593
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 97484
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 97375
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 97265
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 97156
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 97046
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 180000
Source: WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: NEW PO.exe, 00000000.00000003.294779482.00000000080E0000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000003.353245036.0000000007330000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000003.370785352.0000000007460000.00000004.00000001.sdmp Binary or memory string: QEmu.
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp Binary or memory string: +QEmu
Source: WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp Binary or memory string: vmware
Source: NEW PO.exe, 00000007.00000000.316706210.0000000000E25000.00000004.00000020.sdmp, WindowsUpdate.exe, 00000010.00000002.358757516.0000000000E77000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\Desktop\NEW PO.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_004161B0 memset,GetSystemInfo, 10_2_004161B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 10_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 10_2_00407E0E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 11_2_00406EC3

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 10_2_00408836
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_004422C7
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\NEW PO.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process queried: DebugPort
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412
Enables debug privileges
Source: C:\Users\user\Desktop\NEW PO.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\NEW PO.exe Code function: 7_2_07A65190 LdrInitializeThunk, 7_2_07A65190
Source: C:\Users\user\Desktop\NEW PO.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\NEW PO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\NEW PO.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\Desktop\NEW PO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
.NET source code references suspicious native API functions
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.11.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.6.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.38.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.21.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.16.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.26.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.4.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.2.NEW PO.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\NEW PO.exe Process created: C:\Users\user\Desktop\NEW PO.exe C:\Users\user\Desktop\NEW PO.exe Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412
Source: NEW PO.exe, 00000007.00000000.317050619.0000000001540000.00000002.00020000.sdmp, WindowsUpdate.exe, 00000012.00000000.397848974.0000000001BD0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: NEW PO.exe, 00000007.00000000.317050619.0000000001540000.00000002.00020000.sdmp, WindowsUpdate.exe, 00000012.00000000.397848974.0000000001BD0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: NEW PO.exe, 00000007.00000000.317050619.0000000001540000.00000002.00020000.sdmp, WindowsUpdate.exe, 00000012.00000000.397848974.0000000001BD0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: NEW PO.exe, 00000007.00000000.317050619.0000000001540000.00000002.00020000.sdmp, WindowsUpdate.exe, 00000012.00000000.397848974.0000000001BD0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Users\user\Desktop\NEW PO.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Users\user\Desktop\NEW PO.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy, 10_2_0041604B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 11_2_0040724C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00407674 GetVersionExW, 10_2_00407674

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\NEW PO.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\NEW PO.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
AV process strings found (often used to terminate AV products)
Source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.394809421.0000000007A70000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: NEW PO.exe, 00000007.00000000.319830078.00000000072C0000.00000004.00000001.sdmp Binary or memory string: Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected MailPassView
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.42d9930.33.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.40.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.42d9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.45fa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.3aa9930.46.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.3aa9930.46.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.42d9930.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.38.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.3aa9930.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.42d9930.33.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.42d9930.45.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.42d9930.45.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.3aa9930.35.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.45fa72.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.45fa72.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.3aa9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.3aa9930.35.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.313426139.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.436080566.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.319742971.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.318371710.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.320558066.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.320160730.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.404452957.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.392382903.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.402038118.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.401599576.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.364013571.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 5076, type: MEMORYSTR
Yara detected HawkEye Keylogger
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.318319979.0000000002DF6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.392059792.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.317941479.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.313223758.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.313404967.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.400644306.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.362383688.0000000002B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WerFault.exe PID: 6724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 11_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 11_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: ESMTPPassword 11_2_004033D7
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 22.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.39.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.39.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.3ac2370.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.42d9930.33.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.409c0d.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.42f2370.34.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.42d9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.3aa9930.46.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.3ac2370.47.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.42f2370.46.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.3ac2370.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.409c0d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.42f2370.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.3ac2370.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.42d9930.45.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.42f2370.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.3ac2370.34.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.42f2370.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.409c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.3aa9930.35.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.3aa9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.3ac2370.47.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.42f2370.46.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.313426139.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.420264771.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.398239322.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.317013131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.436080566.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.318371710.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.399210452.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.316648058.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.392382903.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.364013571.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6828, type: MEMORYSTR
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

Remote Access Functionality:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.318319979.0000000002DF6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.392059792.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.317941479.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.313223758.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.313404967.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.400644306.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.362383688.0000000002B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WerFault.exe PID: 6724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR
Detected HawkEye Rat
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: NEW PO.exe, 00000007.00000000.317321122.0000000002B0B000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: NEW PO.exe, 00000007.00000002.362334776.0000000002AEF000.00000004.00000001.sdmp String found in binary or memory: Om"HawkEye_Keylogger_Stealer_Records_
Source: NEW PO.exe, 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp String found in binary or memory: Om&HawkEye_Keylogger_Execution_Confirmed_
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp String found in binary or memory: Om&HawkEye_Keylogger_Execution_Confirmed_
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp String found in binary or memory: Om"HawkEye_Keylogger_Stealer_Records_
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs