Play interactive tour

Edit tour

Windows Analysis Report NEW PO.exe

Overview

General Information

Sample Name:	NEW PO.exe
Analysis ID:	511007
MD5:	770f6e88b7bf3fe3aae144a5aa41dc96
SHA1:	ed96d179403ab319da62c092a817a5ebeea8c3da
SHA256:	08187be5bb78da6c7751c5d870d46e43e6b4204db6abf2cc2d80e9830fd136ba
Tags:	exehawkeye
Infos:
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MailPassView

Yara detected HawkEye Keylogger

Yara detected AntiVM3

Malicious sample detected (through community Yara rule)

Detected HawkEye Rat

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file registry)

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Tries to steal Mail credentials (via file access)

Tries to harvest and steal browser information (history, passwords, etc)

Sample uses process hollowing technique

Installs a global keyboard hook

Writes to foreign memory regions

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Changes the view of files in windows explorer (hidden files and folders)

Yara detected WebBrowserPassView password recovery tool

Machine Learning detection for dropped file

Tries to steal Instant Messenger accounts or passwords

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Checks if the current process is being debugged

Launches processes in debugging mode, may be used to hinder debugging

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May infect USB drives

Found potential string decryption / allocating functions

Contains functionality to call native functions

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

NEW PO.exe (PID: 7156 cmdline: 'C:\Users\user\Desktop\NEW PO.exe' MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)

NEW PO.exe (PID: 6044 cmdline: C:\Users\user\Desktop\NEW PO.exe MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)

vbc.exe (PID: 6692 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 6728 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

WerFault.exe (PID: 6724 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 2424 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WindowsUpdate.exe (PID: 6976 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)

WindowsUpdate.exe (PID: 7120 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)

WindowsUpdate.exe (PID: 4816 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)

WindowsUpdate.exe (PID: 3996 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)

vbc.exe (PID: 6828 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 5076 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

WerFault.exe (PID: 6008 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5028 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x25f8:$hawkstr1: HawkEye Keylogger 0x2088:$hawkstr2: Dear HawkEye Customers! 0x21b6:$hawkstr3: HawkEye Logger Details:
00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7230:$hawkstr1: HawkEye Keylogger 0xc090:$hawkstr1: HawkEye Keylogger 0xc0f0:$hawkstr2: Dear HawkEye Customers! 0x126:$hawkstr3: HawkEye Logger Details:
00000012.00000002.439571003.0000000008640000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000000.318319979.0000000002DF6000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.313426139.0000000003AA1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.313426139.0000000003AA1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x105d9:$key: HawkEyeKeylogger 0x12857:$salt: 099u787978786 0x10c36:$string1: HawkEye_Keylogger 0x11a89:$string1: HawkEye_Keylogger 0x127b7:$string1: HawkEye_Keylogger 0x1101f:$string2: holdermail.txt 0x1103f:$string2: holdermail.txt 0x10f61:$string3: wallet.dat 0x10f79:$string3: wallet.dat 0x10f8f:$string3: wallet.dat 0x1237b:$string4: Keylog Records 0x12693:$string4: Keylog Records 0x128af:$string5: do not script --> 0x105c1:$string6: \pidloc.txt 0x1064f:$string7: BSPLIT 0x1065f:$string7: BSPLIT
0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x10c8e:$hawkstr1: HawkEye Keylogger 0x11acf:$hawkstr1: HawkEye Keylogger 0x11dfe:$hawkstr1: HawkEye Keylogger 0x11f59:$hawkstr1: HawkEye Keylogger 0x120bc:$hawkstr1: HawkEye Keylogger 0x12353:$hawkstr1: HawkEye Keylogger 0x10800:$hawkstr2: Dear HawkEye Customers! 0x11e51:$hawkstr2: Dear HawkEye Customers! 0x11fa8:$hawkstr2: Dear HawkEye Customers! 0x1210f:$hawkstr2: Dear HawkEye Customers! 0x10921:$hawkstr3: HawkEye Logger Details:
00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x25f8:$hawkstr1: HawkEye Keylogger 0x2088:$hawkstr2: Dear HawkEye Customers! 0x21b6:$hawkstr3: HawkEye Logger Details:
00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000012.00000000.395440509.0000000008660000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000012.00000000.395401347.0000000008640000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000007.00000002.366905535.0000000007C60000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000016.00000002.420264771.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x25f8:$hawkstr1: HawkEye Keylogger 0x2088:$hawkstr2: Dear HawkEye Customers! 0x21b6:$hawkstr3: HawkEye Logger Details:
00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000016.00000000.398239322.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.392059792.00000000035EA000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.317941479.0000000002D6A000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000A.00000000.317013131.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000002.436080566.00000000042D1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000002.436080566.00000000042D1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x88f4:$hawkstr1: HawkEye Keylogger 0xc690:$hawkstr1: HawkEye Keylogger 0xd368:$hawkstr1: HawkEye Keylogger 0xd6e8:$hawkstr1: HawkEye Keylogger 0xe058:$hawkstr1: HawkEye Keylogger 0x8384:$hawkstr2: Dear HawkEye Customers! 0xa7a8:$hawkstr2: Dear HawkEye Customers! 0xd3c8:$hawkstr2: Dear HawkEye Customers! 0xd748:$hawkstr2: Dear HawkEye Customers! 0x84b2:$hawkstr3: HawkEye Logger Details: 0xa8d2:$hawkstr3: HawkEye Logger Details:
00000012.00000000.408411000.0000000008640000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x4a2429:$key: HawkEyeKeylogger 0x524449:$key: HawkEyeKeylogger 0x4a46a7:$salt: 099u787978786 0x5266c7:$salt: 099u787978786 0x4a2a86:$string1: HawkEye_Keylogger 0x4a38d9:$string1: HawkEye_Keylogger 0x4a4607:$string1: HawkEye_Keylogger 0x524aa6:$string1: HawkEye_Keylogger 0x5258f9:$string1: HawkEye_Keylogger 0x526627:$string1: HawkEye_Keylogger 0x4a2e6f:$string2: holdermail.txt 0x4a2e8f:$string2: holdermail.txt 0x524e8f:$string2: holdermail.txt 0x524eaf:$string2: holdermail.txt 0x4a2db1:$string3: wallet.dat 0x4a2dc9:$string3: wallet.dat 0x4a2ddf:$string3: wallet.dat 0x524dd1:$string3: wallet.dat 0x524de9:$string3: wallet.dat 0x524dff:$string3: wallet.dat 0x4a41cb:$string4: Keylog Records
0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x4a2ade:$hawkstr1: HawkEye Keylogger 0x4a391f:$hawkstr1: HawkEye Keylogger 0x4a3c4e:$hawkstr1: HawkEye Keylogger 0x4a3da9:$hawkstr1: HawkEye Keylogger 0x4a3f0c:$hawkstr1: HawkEye Keylogger 0x4a41a3:$hawkstr1: HawkEye Keylogger 0x524afe:$hawkstr1: HawkEye Keylogger 0x52593f:$hawkstr1: HawkEye Keylogger 0x525c6e:$hawkstr1: HawkEye Keylogger 0x525dc9:$hawkstr1: HawkEye Keylogger 0x525f2c:$hawkstr1: HawkEye Keylogger 0x5261c3:$hawkstr1: HawkEye Keylogger 0x4a2650:$hawkstr2: Dear HawkEye Customers! 0x4a3ca1:$hawkstr2: Dear HawkEye Customers! 0x4a3df8:$hawkstr2: Dear HawkEye Customers! 0x4a3f5f:$hawkstr2: Dear HawkEye Customers! 0x524670:$hawkstr2: Dear HawkEye Customers! 0x525cc1:$hawkstr2: Dear HawkEye Customers! 0x525e18:$hawkstr2: Dear HawkEye Customers! 0x525f7f:$hawkstr2: Dear HawkEye Customers! 0x4a2771:$hawkstr3: HawkEye Logger Details:
00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000000.315132026.0000000007C60000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000000.315200782.0000000007EE0000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000012.00000000.408464737.0000000008660000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000007.00000000.313223758.0000000002D6A000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.313404967.0000000002DFA000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
0000000B.00000000.319742971.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.318371710.0000000003AA1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.318371710.0000000003AA1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x25f8:$hawkstr1: HawkEye Keylogger 0x2088:$hawkstr2: Dear HawkEye Customers! 0x21b6:$hawkstr3: HawkEye Logger Details:
00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000016.00000000.399210452.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000000.316648058.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000002.296608068.0000000003321000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000B.00000000.320558066.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
0000000B.00000000.320160730.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7230:$hawkstr1: HawkEye Keylogger 0xc090:$hawkstr1: HawkEye Keylogger 0xc0f0:$hawkstr2: Dear HawkEye Customers! 0x126:$hawkstr3: HawkEye Logger Details:
0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000017.00000002.404452957.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x9ff4:$hawkstr1: HawkEye Keylogger 0xd3c8:$hawkstr1: HawkEye Keylogger 0xd7a4:$hawkstr1: HawkEye Keylogger 0xe728:$hawkstr1: HawkEye Keylogger 0x9a84:$hawkstr2: Dear HawkEye Customers! 0xc80c:$hawkstr2: Dear HawkEye Customers! 0xd428:$hawkstr2: Dear HawkEye Customers! 0xd804:$hawkstr2: Dear HawkEye Customers! 0x9bb2:$hawkstr3: HawkEye Logger Details: 0xc936:$hawkstr3: HawkEye Logger Details:
00000012.00000000.392382903.00000000042D1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.392382903.00000000042D1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.400644306.00000000035EA000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000017.00000000.402038118.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000017.00000000.401599576.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x4a2429:$key: HawkEyeKeylogger 0x524449:$key: HawkEyeKeylogger 0x4a46a7:$salt: 099u787978786 0x5266c7:$salt: 099u787978786 0x4a2a86:$string1: HawkEye_Keylogger 0x4a38d9:$string1: HawkEye_Keylogger 0x4a4607:$string1: HawkEye_Keylogger 0x524aa6:$string1: HawkEye_Keylogger 0x5258f9:$string1: HawkEye_Keylogger 0x526627:$string1: HawkEye_Keylogger 0x4a2e6f:$string2: holdermail.txt 0x4a2e8f:$string2: holdermail.txt 0x524e8f:$string2: holdermail.txt 0x524eaf:$string2: holdermail.txt 0x4a2db1:$string3: wallet.dat 0x4a2dc9:$string3: wallet.dat 0x4a2ddf:$string3: wallet.dat 0x524dd1:$string3: wallet.dat 0x524de9:$string3: wallet.dat 0x524dff:$string3: wallet.dat 0x4a41cb:$string4: Keylog Records
00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x4a2ade:$hawkstr1: HawkEye Keylogger 0x4a391f:$hawkstr1: HawkEye Keylogger 0x4a3c4e:$hawkstr1: HawkEye Keylogger 0x4a3da9:$hawkstr1: HawkEye Keylogger 0x4a3f0c:$hawkstr1: HawkEye Keylogger 0x4a41a3:$hawkstr1: HawkEye Keylogger 0x524afe:$hawkstr1: HawkEye Keylogger 0x52593f:$hawkstr1: HawkEye Keylogger 0x525c6e:$hawkstr1: HawkEye Keylogger 0x525dc9:$hawkstr1: HawkEye Keylogger 0x525f2c:$hawkstr1: HawkEye Keylogger 0x5261c3:$hawkstr1: HawkEye Keylogger 0x4a2650:$hawkstr2: Dear HawkEye Customers! 0x4a3ca1:$hawkstr2: Dear HawkEye Customers! 0x4a3df8:$hawkstr2: Dear HawkEye Customers! 0x4a3f5f:$hawkstr2: Dear HawkEye Customers! 0x524670:$hawkstr2: Dear HawkEye Customers! 0x525cc1:$hawkstr2: Dear HawkEye Customers! 0x525e18:$hawkstr2: Dear HawkEye Customers! 0x525f7f:$hawkstr2: Dear HawkEye Customers! 0x4a2771:$hawkstr3: HawkEye Logger Details:
00000012.00000002.439615340.0000000008660000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000007.00000002.367050092.0000000007EE0000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000002.364013571.0000000003AA1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000002.364013571.0000000003AA1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.320411963.0000000007C60000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000000F.00000002.356792870.0000000002C01000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x4a2429:$key: HawkEyeKeylogger 0x524449:$key: HawkEyeKeylogger 0x4a46a7:$salt: 099u787978786 0x5266c7:$salt: 099u787978786 0x4a2a86:$string1: HawkEye_Keylogger 0x4a38d9:$string1: HawkEye_Keylogger 0x4a4607:$string1: HawkEye_Keylogger 0x524aa6:$string1: HawkEye_Keylogger 0x5258f9:$string1: HawkEye_Keylogger 0x526627:$string1: HawkEye_Keylogger 0x4a2e6f:$string2: holdermail.txt 0x4a2e8f:$string2: holdermail.txt 0x524e8f:$string2: holdermail.txt 0x524eaf:$string2: holdermail.txt 0x4a2db1:$string3: wallet.dat 0x4a2dc9:$string3: wallet.dat 0x4a2ddf:$string3: wallet.dat 0x524dd1:$string3: wallet.dat 0x524de9:$string3: wallet.dat 0x524dff:$string3: wallet.dat 0x4a41cb:$string4: Keylog Records
00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x4a2ade:$hawkstr1: HawkEye Keylogger 0x4a391f:$hawkstr1: HawkEye Keylogger 0x4a3c4e:$hawkstr1: HawkEye Keylogger 0x4a3da9:$hawkstr1: HawkEye Keylogger 0x4a3f0c:$hawkstr1: HawkEye Keylogger 0x4a41a3:$hawkstr1: HawkEye Keylogger 0x524afe:$hawkstr1: HawkEye Keylogger 0x52593f:$hawkstr1: HawkEye Keylogger 0x525c6e:$hawkstr1: HawkEye Keylogger 0x525dc9:$hawkstr1: HawkEye Keylogger 0x525f2c:$hawkstr1: HawkEye Keylogger 0x5261c3:$hawkstr1: HawkEye Keylogger 0x4a2650:$hawkstr2: Dear HawkEye Customers! 0x4a3ca1:$hawkstr2: Dear HawkEye Customers! 0x4a3df8:$hawkstr2: Dear HawkEye Customers! 0x4a3f5f:$hawkstr2: Dear HawkEye Customers! 0x524670:$hawkstr2: Dear HawkEye Customers! 0x525cc1:$hawkstr2: Dear HawkEye Customers! 0x525e18:$hawkstr2: Dear HawkEye Customers! 0x525f7f:$hawkstr2: Dear HawkEye Customers! 0x4a2771:$hawkstr3: HawkEye Logger Details:
00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000002.362383688.0000000002B10000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: NEW PO.exe PID: 7156	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NEW PO.exe PID: 7156	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: NEW PO.exe PID: 7156	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: NEW PO.exe PID: 7156	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: NEW PO.exe PID: 6044	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: NEW PO.exe PID: 6044	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: NEW PO.exe PID: 6044	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 6728	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: WerFault.exe PID: 6724	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 6976	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 6976	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 6976	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 6976	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 7120	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 7120	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 7120	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 4816	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 4816	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 4816	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 4816	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 3996	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 3996	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 3996	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 6828	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 5076	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Click to see the 200 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.0.NEW PO.exe.2d9bffc.45.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.2afd174.43.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.7ee0000.37.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.45fa72.29.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.45fa72.22.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.19.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.8660000.48.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
22.0.vbc.exe.400000.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.35f1ffc.44.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.409c0d.39.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.8.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.0.WindowsUpdate.exe.409c0d.8.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.409c0d.8.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.409c0d.8.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.8.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.409c0d.14.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.39.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.3ac2370.7.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.45fa72.14.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
18.0.WindowsUpdate.exe.45fa72.14.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.14.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.45fa72.14.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.42d9930.33.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.42d9930.33.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.45fa72.9.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
7.0.NEW PO.exe.45fa72.9.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.9.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.45fa72.9.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
11.0.vbc.exe.400000.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.17.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
7.0.NEW PO.exe.45fa72.17.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.17.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.45fa72.17.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
16.2.WindowsUpdate.exe.409c0d.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.42f2370.34.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.vbc.exe.400000.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.8640000.9.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.45fa72.40.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.408208.17.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
18.0.WindowsUpdate.exe.408208.17.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.17.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.408208.17.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.408208.17.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.408208.17.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.45fa72.17.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
16.0.WindowsUpdate.exe.45fa72.17.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.45fa72.17.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.45fa72.17.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.408208.40.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
18.0.WindowsUpdate.exe.408208.40.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.40.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.408208.40.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.408208.40.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.408208.40.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
10.0.vbc.exe.400000.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.8.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
7.0.NEW PO.exe.408208.8.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.408208.8.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.408208.8.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.408208.8.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.8.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
11.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.7.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
7.0.NEW PO.exe.409c0d.7.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.7.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.409c0d.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.7.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.45fa72.14.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
7.0.NEW PO.exe.45fa72.14.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.14.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.45fa72.14.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.7ee0000.49.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.45fa72.14.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.27.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.7ee0000.10.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
22.0.vbc.exe.400000.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.45fa72.12.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
16.0.WindowsUpdate.exe.45fa72.12.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.45fa72.12.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.45fa72.12.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
11.0.vbc.exe.400000.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.400000.21.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
16.0.WindowsUpdate.exe.400000.21.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.400000.21.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.400000.21.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.400000.21.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.400000.21.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.409c0d.39.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
7.0.NEW PO.exe.409c0d.39.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.39.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.409c0d.39.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.39.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
18.2.WindowsUpdate.exe.42d9930.8.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.2.WindowsUpdate.exe.42d9930.8.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.27.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
7.0.NEW PO.exe.409c0d.27.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.27.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.409c0d.27.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.27.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
7.2.NEW PO.exe.2af76d8.6.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.409c0d.22.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.0.WindowsUpdate.exe.409c0d.22.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.409c0d.22.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.409c0d.22.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.22.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.332d36c.31.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.2.NEW PO.exe.409c0d.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
7.2.NEW PO.exe.409c0d.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.2.NEW PO.exe.409c0d.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.2.NEW PO.exe.409c0d.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.409c0d.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.8640000.35.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.409c0d.12.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.400000.6.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
16.0.WindowsUpdate.exe.400000.6.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.400000.6.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.400000.6.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.400000.6.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.400000.6.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.45fa72.23.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
18.0.WindowsUpdate.exe.45fa72.23.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.23.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.45fa72.23.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
23.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.19.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.35e4248.43.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.409c0d.12.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.0.WindowsUpdate.exe.409c0d.12.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.409c0d.12.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.409c0d.12.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.12.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.408208.23.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
16.0.WindowsUpdate.exe.408208.23.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.408208.23.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.408208.23.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.408208.23.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.408208.23.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
11.0.vbc.exe.400000.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.11.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.0.NEW PO.exe.400000.11.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.11.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.11.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.400000.11.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.11.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.2.WindowsUpdate.exe.400000.0.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.2.WindowsUpdate.exe.400000.0.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.2.WindowsUpdate.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.2.WindowsUpdate.exe.400000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.2.WindowsUpdate.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.400000.0.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.409c0d.12.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.45fa72.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.14.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.23.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.8640000.47.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.6.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.0.NEW PO.exe.400000.6.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.6.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.6.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.400000.6.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.6.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
16.2.WindowsUpdate.exe.400000.0.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.408208.7.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
16.2.WindowsUpdate.exe.400000.0.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.7.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.2.WindowsUpdate.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.2.WindowsUpdate.exe.400000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.2.WindowsUpdate.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.2.WindowsUpdate.exe.400000.0.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.408208.7.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.408208.7.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.408208.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.408208.7.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.400000.26.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.400000.26.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.400000.26.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.26.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.400000.26.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.26.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.2afd174.31.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.NEW PO.exe.474fbd0.5.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x79a59:$key: HawkEyeKeylogger 0x7bcd7:$salt: 099u787978786 0x7a0b6:$string1: HawkEye_Keylogger 0x7af09:$string1: HawkEye_Keylogger 0x7bc37:$string1: HawkEye_Keylogger 0x7a49f:$string2: holdermail.txt 0x7a4bf:$string2: holdermail.txt 0x7a3e1:$string3: wallet.dat 0x7a3f9:$string3: wallet.dat 0x7a40f:$string3: wallet.dat 0x7b7fb:$string4: Keylog Records 0x7bb13:$string4: Keylog Records 0x7bd2f:$string5: do not script --> 0x79a41:$string6: \pidloc.txt 0x79acf:$string7: BSPLIT 0x79adf:$string7: BSPLIT
0.2.NEW PO.exe.474fbd0.5.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.NEW PO.exe.474fbd0.5.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.NEW PO.exe.474fbd0.5.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.2.NEW PO.exe.474fbd0.5.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.NEW PO.exe.474fbd0.5.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7a10e:$hawkstr1: HawkEye Keylogger 0x7af4f:$hawkstr1: HawkEye Keylogger 0x7b27e:$hawkstr1: HawkEye Keylogger 0x7b3d9:$hawkstr1: HawkEye Keylogger 0x7b53c:$hawkstr1: HawkEye Keylogger 0x7b7d3:$hawkstr1: HawkEye Keylogger 0x79c80:$hawkstr2: Dear HawkEye Customers! 0x7b2d1:$hawkstr2: Dear HawkEye Customers! 0x7b428:$hawkstr2: Dear HawkEye Customers! 0x7b58f:$hawkstr2: Dear HawkEye Customers! 0x79da1:$hawkstr3: HawkEye Logger Details:
10.0.vbc.exe.400000.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.45fa72.22.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
16.0.WindowsUpdate.exe.45fa72.22.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.45fa72.22.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.45fa72.22.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.45fa72.38.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
18.0.WindowsUpdate.exe.45fa72.38.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.38.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.45fa72.38.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
23.0.vbc.exe.400000.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.2.WindowsUpdate.exe.408208.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
16.2.WindowsUpdate.exe.408208.1.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.2.WindowsUpdate.exe.408208.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.2.WindowsUpdate.exe.408208.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.2.WindowsUpdate.exe.408208.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.2.WindowsUpdate.exe.408208.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.45fa72.40.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
7.0.NEW PO.exe.45fa72.40.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.40.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.45fa72.40.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.45fa72.24.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
22.0.vbc.exe.400000.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.409c0d.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.2.WindowsUpdate.exe.409c0d.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.2.WindowsUpdate.exe.409c0d.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.2.WindowsUpdate.exe.409c0d.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.409c0d.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.3aa9930.46.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.3aa9930.46.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.2.WindowsUpdate.exe.409c0d.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
16.2.WindowsUpdate.exe.409c0d.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.2.WindowsUpdate.exe.409c0d.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.2.WindowsUpdate.exe.409c0d.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.2.WindowsUpdate.exe.409c0d.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.3aa9930.46.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.19.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.0.WindowsUpdate.exe.45fa72.29.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
18.0.WindowsUpdate.exe.45fa72.29.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.29.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.45fa72.29.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.409c0d.19.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.19.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.409c0d.19.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.19.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.409c0d.7.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.0.vbc.exe.400000.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.3ac2370.47.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.2.WindowsUpdate.exe.45fa72.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
16.2.WindowsUpdate.exe.45fa72.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.2.WindowsUpdate.exe.45fa72.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.2.WindowsUpdate.exe.45fa72.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
18.2.WindowsUpdate.exe.42d9930.8.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
23.0.vbc.exe.400000.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.23.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
7.0.NEW PO.exe.409c0d.23.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.23.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.409c0d.23.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.23.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.2d94168.32.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
23.0.vbc.exe.400000.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.35e4248.32.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.2.WindowsUpdate.exe.408208.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
18.2.WindowsUpdate.exe.408208.2.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.2.WindowsUpdate.exe.408208.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.2.WindowsUpdate.exe.408208.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.2.WindowsUpdate.exe.408208.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.408208.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
11.0.vbc.exe.400000.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.409c0d.39.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.0.WindowsUpdate.exe.409c0d.39.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.409c0d.39.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.409c0d.39.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.39.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
23.0.vbc.exe.400000.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.42f2370.46.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.8660000.10.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.409c0d.27.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
23.0.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
22.0.vbc.exe.400000.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.45fa72.38.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.2.NEW PO.exe.2acb1c8.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.332d36c.42.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
11.0.vbc.exe.400000.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.12.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
7.0.NEW PO.exe.409c0d.12.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.12.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.409c0d.12.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.12.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
22.0.vbc.exe.400000.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.18.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.3ac2370.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.16.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.400000.16.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.400000.16.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.16.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.400000.16.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.16.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
11.0.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
11.0.vbc.exe.400000.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.38.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.0.NEW PO.exe.400000.38.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.38.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.38.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.400000.38.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.38.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.400000.11.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.400000.11.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.400000.11.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.11.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.400000.11.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.11.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
11.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
22.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.7c60000.36.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.409c0d.7.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
16.0.WindowsUpdate.exe.409c0d.7.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.409c0d.7.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.409c0d.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.409c0d.7.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.400000.4.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
16.0.WindowsUpdate.exe.400000.4.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.400000.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.400000.4.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.400000.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.400000.4.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
17.2.WindowsUpdate.exe.459fbd0.4.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x79a59:$key: HawkEyeKeylogger 0x7bcd7:$salt: 099u787978786 0x7a0b6:$string1: HawkEye_Keylogger 0x7af09:$string1: HawkEye_Keylogger 0x7bc37:$string1: HawkEye_Keylogger 0x7a49f:$string2: holdermail.txt 0x7a4bf:$string2: holdermail.txt 0x7a3e1:$string3: wallet.dat 0x7a3f9:$string3: wallet.dat 0x7a40f:$string3: wallet.dat 0x7b7fb:$string4: Keylog Records 0x7bb13:$string4: Keylog Records 0x7bd2f:$string5: do not script --> 0x79a41:$string6: \pidloc.txt 0x79acf:$string7: BSPLIT 0x79adf:$string7: BSPLIT
17.2.WindowsUpdate.exe.459fbd0.4.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
17.2.WindowsUpdate.exe.459fbd0.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
17.2.WindowsUpdate.exe.459fbd0.4.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
17.2.WindowsUpdate.exe.459fbd0.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
17.2.WindowsUpdate.exe.459fbd0.4.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7a10e:$hawkstr1: HawkEye Keylogger 0x7af4f:$hawkstr1: HawkEye Keylogger 0x7b27e:$hawkstr1: HawkEye Keylogger 0x7b3d9:$hawkstr1: HawkEye Keylogger 0x7b53c:$hawkstr1: HawkEye Keylogger 0x7b7d3:$hawkstr1: HawkEye Keylogger 0x79c80:$hawkstr2: Dear HawkEye Customers! 0x7b2d1:$hawkstr2: Dear HawkEye Customers! 0x7b428:$hawkstr2: Dear HawkEye Customers! 0x7b58f:$hawkstr2: Dear HawkEye Customers! 0x79da1:$hawkstr3: HawkEye Logger Details:
7.2.NEW PO.exe.409c0d.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.vbc.exe.400000.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.3aa9930.8.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.4.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.400000.4.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.400000.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.4.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.400000.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.4.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
10.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.42d9930.33.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.2d94168.44.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.13.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
18.0.WindowsUpdate.exe.408208.13.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.13.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.408208.13.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.408208.13.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.408208.13.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
10.0.vbc.exe.400000.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.13.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
7.0.NEW PO.exe.408208.13.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.408208.13.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.408208.13.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.408208.13.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.13.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
10.0.vbc.exe.400000.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.45fa72.12.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.45fa72.19.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
18.0.WindowsUpdate.exe.45fa72.19.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.19.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.45fa72.19.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
0.2.NEW PO.exe.33497d4.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
7.2.NEW PO.exe.7c60000.9.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.2.WindowsUpdate.exe.32fb060.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.409c0d.19.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.408208.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
7.2.NEW PO.exe.408208.3.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.2.NEW PO.exe.408208.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.2.NEW PO.exe.408208.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.2.NEW PO.exe.408208.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.408208.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.408208.9.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
16.0.WindowsUpdate.exe.408208.9.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.408208.9.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.408208.9.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.408208.9.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.408208.9.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.42d9930.45.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.24.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
7.0.NEW PO.exe.45fa72.24.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.24.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.45fa72.24.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
23.0.vbc.exe.400000.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.408208.28.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
7.0.NEW PO.exe.408208.28.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.408208.28.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.408208.28.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.408208.28.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.28.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
22.0.vbc.exe.400000.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.22.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.409c0d.14.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
16.0.WindowsUpdate.exe.409c0d.14.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.409c0d.14.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.409c0d.14.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.409c0d.14.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.400000.6.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.400000.6.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.400000.6.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.6.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.400000.6.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.6.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
7.2.NEW PO.exe.45fa72.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
7.2.NEW PO.exe.45fa72.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.2.NEW PO.exe.45fa72.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.2.NEW PO.exe.45fa72.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
18.2.WindowsUpdate.exe.42f2370.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.3ac2370.34.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.45fa72.8.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
16.0.WindowsUpdate.exe.45fa72.8.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.45fa72.8.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.45fa72.8.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
23.0.vbc.exe.400000.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
23.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.42d9930.45.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.42d9930.45.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.2d9bffc.33.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.409c0d.18.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.0.WindowsUpdate.exe.409c0d.18.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.409c0d.18.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.409c0d.18.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.18.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.8660000.36.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.24.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
18.0.WindowsUpdate.exe.408208.24.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.24.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.408208.24.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.408208.24.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.408208.24.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.400000.37.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.400000.37.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.400000.37.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.37.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.400000.37.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.37.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.42f2370.34.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
22.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.27.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.0.WindowsUpdate.exe.409c0d.27.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.409c0d.27.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.409c0d.27.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.27.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.408208.13.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
16.0.WindowsUpdate.exe.408208.13.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.408208.13.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.408208.13.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.408208.13.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.408208.13.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.400000.21.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.0.NEW PO.exe.400000.21.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.21.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.21.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.400000.21.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.21.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.408208.28.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
18.0.WindowsUpdate.exe.408208.28.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.28.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.408208.28.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.408208.28.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.408208.28.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0xfd879:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0xffaf7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0xfded6:$string1: HawkEye_Keylogger 0xfed29:$string1: HawkEye_Keylogger 0xffa57:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0xfe2bf:$string2: holdermail.txt 0xfe2df:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0xfe201:$string3: wallet.dat 0xfe219:$string3: wallet.dat 0xfe22f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x89443:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0xfdf2e:$hawkstr1: HawkEye Keylogger 0xfed6f:$hawkstr1: HawkEye Keylogger 0xff09e:$hawkstr1: HawkEye Keylogger 0xff1f9:$hawkstr1: HawkEye Keylogger 0xff35c:$hawkstr1: HawkEye Keylogger 0xff5f3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0xfdaa0:$hawkstr2: Dear HawkEye Customers! 0xff0f1:$hawkstr2: Dear HawkEye Customers! 0xff248:$hawkstr2: Dear HawkEye Customers! 0xff3af:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.409c0d.7.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.41.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
7.0.NEW PO.exe.408208.41.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.408208.41.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.408208.41.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.408208.41.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.41.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.3ac2370.34.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.42f2370.7.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.16.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.0.NEW PO.exe.400000.16.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.16.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.16.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.400000.16.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.16.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.45fa72.8.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.2.WindowsUpdate.exe.45fa72.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
18.2.WindowsUpdate.exe.45fa72.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.2.WindowsUpdate.exe.45fa72.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.2.WindowsUpdate.exe.45fa72.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.45fa72.17.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.9.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.17.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.2.WindowsUpdate.exe.409c0d.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.409c0d.24.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.3aa9930.35.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.3aa9930.35.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.22.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
7.0.NEW PO.exe.408208.22.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.408208.22.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.408208.22.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.408208.22.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.22.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.409c0d.8.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.23.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.2.WindowsUpdate.exe.45fa72.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.2.WindowsUpdate.exe.402fbd0.5.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x79a59:$key: HawkEyeKeylogger 0x7bcd7:$salt: 099u787978786 0x7a0b6:$string1: HawkEye_Keylogger 0x7af09:$string1: HawkEye_Keylogger 0x7bc37:$string1: HawkEye_Keylogger 0x7a49f:$string2: holdermail.txt 0x7a4bf:$string2: holdermail.txt 0x7a3e1:$string3: wallet.dat 0x7a3f9:$string3: wallet.dat 0x7a40f:$string3: wallet.dat 0x7b7fb:$string4: Keylog Records 0x7bb13:$string4: Keylog Records 0x7bd2f:$string5: do not script --> 0x79a41:$string6: \pidloc.txt 0x79acf:$string7: BSPLIT 0x79adf:$string7: BSPLIT
15.2.WindowsUpdate.exe.402fbd0.5.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
15.2.WindowsUpdate.exe.402fbd0.5.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.2.WindowsUpdate.exe.402fbd0.5.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
15.2.WindowsUpdate.exe.402fbd0.5.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
15.2.WindowsUpdate.exe.402fbd0.5.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7a10e:$hawkstr1: HawkEye Keylogger 0x7af4f:$hawkstr1: HawkEye Keylogger 0x7b27e:$hawkstr1: HawkEye Keylogger 0x7b3d9:$hawkstr1: HawkEye Keylogger 0x7b53c:$hawkstr1: HawkEye Keylogger 0x7b7d3:$hawkstr1: HawkEye Keylogger 0x79c80:$hawkstr2: Dear HawkEye Customers! 0x7b2d1:$hawkstr2: Dear HawkEye Customers! 0x7b428:$hawkstr2: Dear HawkEye Customers! 0x7b58f:$hawkstr2: Dear HawkEye Customers! 0x79da1:$hawkstr3: HawkEye Logger Details:
15.2.WindowsUpdate.exe.2c2982c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
18.0.WindowsUpdate.exe.400000.21.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.400000.21.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.400000.21.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.21.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.400000.21.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.21.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.409c0d.19.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
16.0.WindowsUpdate.exe.409c0d.19.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.409c0d.19.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.409c0d.19.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.409c0d.19.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.45fa72.9.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
18.0.WindowsUpdate.exe.45fa72.9.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.9.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.45fa72.9.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
7.2.NEW PO.exe.45fa72.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.400000.16.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
16.0.WindowsUpdate.exe.400000.16.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.400000.16.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.400000.16.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.400000.16.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.400000.16.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
10.0.vbc.exe.400000.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.45fa72.29.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
7.0.NEW PO.exe.45fa72.29.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.29.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.45fa72.29.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
17.2.WindowsUpdate.exe.319982c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
7.2.NEW PO.exe.3aa9930.8.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.2.NEW PO.exe.3aa9930.8.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.18.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
7.0.NEW PO.exe.408208.18.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.408208.18.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.408208.18.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.408208.18.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.18.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
22.0.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.45fa72.9.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.7c60000.48.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
23.0.vbc.exe.400000.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.3ac2370.47.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.3aa9930.35.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.4.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.0.NEW PO.exe.400000.4.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.4.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.400000.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.4.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.42f2370.46.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.26.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.0.NEW PO.exe.400000.26.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.26.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.26.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.400000.26.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.26.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.45fa72.29.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
22.0.vbc.exe.400000.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.400000.11.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
16.0.WindowsUpdate.exe.400000.11.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.400000.11.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.400000.11.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.400000.11.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.400000.11.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
7.2.NEW PO.exe.400000.0.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.2.NEW PO.exe.400000.0.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.2.NEW PO.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.2.NEW PO.exe.400000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.2.NEW PO.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.400000.0.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.409c0d.24.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
16.0.WindowsUpdate.exe.409c0d.24.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.409c0d.24.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.409c0d.24.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.409c0d.24.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.408208.18.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
16.0.WindowsUpdate.exe.408208.18.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.408208.18.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.408208.18.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.408208.18.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.408208.18.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
0.2.NEW PO.exe.474fbd0.5.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0xfd879:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0xffaf7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0xfded6:$string1: HawkEye_Keylogger 0xfed29:$string1: HawkEye_Keylogger 0xffa57:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0xfe2bf:$string2: holdermail.txt 0xfe2df:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0xfe201:$string3: wallet.dat 0xfe219:$string3: wallet.dat 0xfe22f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records
0.2.NEW PO.exe.474fbd0.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x89443:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.NEW PO.exe.474fbd0.5.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.NEW PO.exe.474fbd0.5.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.2.NEW PO.exe.474fbd0.5.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.NEW PO.exe.474fbd0.5.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0xfdf2e:$hawkstr1: HawkEye Keylogger 0xfed6f:$hawkstr1: HawkEye Keylogger 0xff09e:$hawkstr1: HawkEye Keylogger 0xff1f9:$hawkstr1: HawkEye Keylogger 0xff35c:$hawkstr1: HawkEye Keylogger 0xff5f3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0xfdaa0:$hawkstr2: Dear HawkEye Customers! 0xff0f1:$hawkstr2: Dear HawkEye Customers! 0xff248:$hawkstr2: Dear HawkEye Customers! 0xff3af:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0xfd879:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0xffaf7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0xfded6:$string1: HawkEye_Keylogger 0xfed29:$string1: HawkEye_Keylogger 0xffa57:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0xfe2bf:$string2: holdermail.txt 0xfe2df:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0xfe201:$string3: wallet.dat 0xfe219:$string3: wallet.dat 0xfe22f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x89443:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0xfdf2e:$hawkstr1: HawkEye Keylogger 0xfed6f:$hawkstr1: HawkEye Keylogger 0xff09e:$hawkstr1: HawkEye Keylogger 0xff1f9:$hawkstr1: HawkEye Keylogger 0xff35c:$hawkstr1: HawkEye Keylogger 0xff5f3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0xfdaa0:$hawkstr2: Dear HawkEye Customers! 0xff0f1:$hawkstr2: Dear HawkEye Customers! 0xff248:$hawkstr2: Dear HawkEye Customers! 0xff3af:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
0.2.NEW PO.exe.43c56d8.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x405d51:$key: HawkEyeKeylogger 0x487d71:$key: HawkEyeKeylogger 0x407fcf:$salt: 099u787978786 0x489fef:$salt: 099u787978786 0x4063ae:$string1: HawkEye_Keylogger 0x407201:$string1: HawkEye_Keylogger 0x407f2f:$string1: HawkEye_Keylogger 0x4883ce:$string1: HawkEye_Keylogger 0x489221:$string1: HawkEye_Keylogger 0x489f4f:$string1: HawkEye_Keylogger 0x406797:$string2: holdermail.txt 0x4067b7:$string2: holdermail.txt 0x4887b7:$string2: holdermail.txt 0x4887d7:$string2: holdermail.txt 0x4066d9:$string3: wallet.dat 0x4066f1:$string3: wallet.dat 0x406707:$string3: wallet.dat 0x4886f9:$string3: wallet.dat 0x488711:$string3: wallet.dat 0x488727:$string3: wallet.dat 0x407af3:$string4: Keylog Records
0.2.NEW PO.exe.43c56d8.3.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x39191b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x41393b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.NEW PO.exe.43c56d8.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.NEW PO.exe.43c56d8.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.2.NEW PO.exe.43c56d8.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.NEW PO.exe.43c56d8.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x406406:$hawkstr1: HawkEye Keylogger 0x407247:$hawkstr1: HawkEye Keylogger 0x407576:$hawkstr1: HawkEye Keylogger 0x4076d1:$hawkstr1: HawkEye Keylogger 0x407834:$hawkstr1: HawkEye Keylogger 0x407acb:$hawkstr1: HawkEye Keylogger 0x488426:$hawkstr1: HawkEye Keylogger 0x489267:$hawkstr1: HawkEye Keylogger 0x489596:$hawkstr1: HawkEye Keylogger 0x4896f1:$hawkstr1: HawkEye Keylogger 0x489854:$hawkstr1: HawkEye Keylogger 0x489aeb:$hawkstr1: HawkEye Keylogger 0x405f78:$hawkstr2: Dear HawkEye Customers! 0x4075c9:$hawkstr2: Dear HawkEye Customers! 0x407720:$hawkstr2: Dear HawkEye Customers! 0x407887:$hawkstr2: Dear HawkEye Customers! 0x487f98:$hawkstr2: Dear HawkEye Customers! 0x4895e9:$hawkstr2: Dear HawkEye Customers! 0x489740:$hawkstr2: Dear HawkEye Customers! 0x4898a7:$hawkstr2: Dear HawkEye Customers! 0x406099:$hawkstr3: HawkEye Logger Details:
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x222cd9:$key: HawkEyeKeylogger 0x2a4cf9:$key: HawkEyeKeylogger 0x224f57:$salt: 099u787978786 0x2a6f77:$salt: 099u787978786 0x223336:$string1: HawkEye_Keylogger 0x224189:$string1: HawkEye_Keylogger 0x224eb7:$string1: HawkEye_Keylogger 0x2a5356:$string1: HawkEye_Keylogger 0x2a61a9:$string1: HawkEye_Keylogger 0x2a6ed7:$string1: HawkEye_Keylogger 0x22371f:$string2: holdermail.txt 0x22373f:$string2: holdermail.txt 0x2a573f:$string2: holdermail.txt 0x2a575f:$string2: holdermail.txt 0x223661:$string3: wallet.dat 0x223679:$string3: wallet.dat 0x22368f:$string3: wallet.dat 0x2a5681:$string3: wallet.dat 0x2a5699:$string3: wallet.dat 0x2a56af:$string3: wallet.dat 0x224a7b:$string4: Keylog Records
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x1ae8a3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x2308c3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x22338e:$hawkstr1: HawkEye Keylogger 0x2241cf:$hawkstr1: HawkEye Keylogger 0x2244fe:$hawkstr1: HawkEye Keylogger 0x224659:$hawkstr1: HawkEye Keylogger 0x2247bc:$hawkstr1: HawkEye Keylogger 0x224a53:$hawkstr1: HawkEye Keylogger 0x2a53ae:$hawkstr1: HawkEye Keylogger 0x2a61ef:$hawkstr1: HawkEye Keylogger 0x2a651e:$hawkstr1: HawkEye Keylogger 0x2a6679:$hawkstr1: HawkEye Keylogger 0x2a67dc:$hawkstr1: HawkEye Keylogger 0x2a6a73:$hawkstr1: HawkEye Keylogger 0x222f00:$hawkstr2: Dear HawkEye Customers! 0x224551:$hawkstr2: Dear HawkEye Customers! 0x2246a8:$hawkstr2: Dear HawkEye Customers! 0x22480f:$hawkstr2: Dear HawkEye Customers! 0x2a4f20:$hawkstr2: Dear HawkEye Customers! 0x2a6571:$hawkstr2: Dear HawkEye Customers! 0x2a66c8:$hawkstr2: Dear HawkEye Customers! 0x2a682f:$hawkstr2: Dear HawkEye Customers! 0x223021:$hawkstr3: HawkEye Logger Details:
0.2.NEW PO.exe.45a8750.4.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x222cd9:$key: HawkEyeKeylogger 0x2a4cf9:$key: HawkEyeKeylogger 0x224f57:$salt: 099u787978786 0x2a6f77:$salt: 099u787978786 0x223336:$string1: HawkEye_Keylogger 0x224189:$string1: HawkEye_Keylogger 0x224eb7:$string1: HawkEye_Keylogger 0x2a5356:$string1: HawkEye_Keylogger 0x2a61a9:$string1: HawkEye_Keylogger 0x2a6ed7:$string1: HawkEye_Keylogger 0x22371f:$string2: holdermail.txt 0x22373f:$string2: holdermail.txt 0x2a573f:$string2: holdermail.txt 0x2a575f:$string2: holdermail.txt 0x223661:$string3: wallet.dat 0x223679:$string3: wallet.dat 0x22368f:$string3: wallet.dat 0x2a5681:$string3: wallet.dat 0x2a5699:$string3: wallet.dat 0x2a56af:$string3: wallet.dat 0x224a7b:$string4: Keylog Records
0.2.NEW PO.exe.45a8750.4.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x1ae8a3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x2308c3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.NEW PO.exe.45a8750.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.NEW PO.exe.45a8750.4.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.2.NEW PO.exe.45a8750.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.NEW PO.exe.45a8750.4.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x22338e:$hawkstr1: HawkEye Keylogger 0x2241cf:$hawkstr1: HawkEye Keylogger 0x2244fe:$hawkstr1: HawkEye Keylogger 0x224659:$hawkstr1: HawkEye Keylogger 0x2247bc:$hawkstr1: HawkEye Keylogger 0x224a53:$hawkstr1: HawkEye Keylogger 0x2a53ae:$hawkstr1: HawkEye Keylogger 0x2a61ef:$hawkstr1: HawkEye Keylogger 0x2a651e:$hawkstr1: HawkEye Keylogger 0x2a6679:$hawkstr1: HawkEye Keylogger 0x2a67dc:$hawkstr1: HawkEye Keylogger 0x2a6a73:$hawkstr1: HawkEye Keylogger 0x222f00:$hawkstr2: Dear HawkEye Customers! 0x224551:$hawkstr2: Dear HawkEye Customers! 0x2246a8:$hawkstr2: Dear HawkEye Customers! 0x22480f:$hawkstr2: Dear HawkEye Customers! 0x2a4f20:$hawkstr2: Dear HawkEye Customers! 0x2a6571:$hawkstr2: Dear HawkEye Customers! 0x2a66c8:$hawkstr2: Dear HawkEye Customers! 0x2a682f:$hawkstr2: Dear HawkEye Customers! 0x223021:$hawkstr3: HawkEye Logger Details:
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x222cd9:$key: HawkEyeKeylogger 0x2a4cf9:$key: HawkEyeKeylogger 0x224f57:$salt: 099u787978786 0x2a6f77:$salt: 099u787978786 0x223336:$string1: HawkEye_Keylogger 0x224189:$string1: HawkEye_Keylogger 0x224eb7:$string1: HawkEye_Keylogger 0x2a5356:$string1: HawkEye_Keylogger 0x2a61a9:$string1: HawkEye_Keylogger 0x2a6ed7:$string1: HawkEye_Keylogger 0x22371f:$string2: holdermail.txt 0x22373f:$string2: holdermail.txt 0x2a573f:$string2: holdermail.txt 0x2a575f:$string2: holdermail.txt 0x223661:$string3: wallet.dat 0x223679:$string3: wallet.dat 0x22368f:$string3: wallet.dat 0x2a5681:$string3: wallet.dat 0x2a5699:$string3: wallet.dat 0x2a56af:$string3: wallet.dat 0x224a7b:$string4: Keylog Records
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x1ae8a3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x2308c3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x22338e:$hawkstr1: HawkEye Keylogger 0x2241cf:$hawkstr1: HawkEye Keylogger 0x2244fe:$hawkstr1: HawkEye Keylogger 0x224659:$hawkstr1: HawkEye Keylogger 0x2247bc:$hawkstr1: HawkEye Keylogger 0x224a53:$hawkstr1: HawkEye Keylogger 0x2a53ae:$hawkstr1: HawkEye Keylogger 0x2a61ef:$hawkstr1: HawkEye Keylogger 0x2a651e:$hawkstr1: HawkEye Keylogger 0x2a6679:$hawkstr1: HawkEye Keylogger 0x2a67dc:$hawkstr1: HawkEye Keylogger 0x2a6a73:$hawkstr1: HawkEye Keylogger 0x222f00:$hawkstr2: Dear HawkEye Customers! 0x224551:$hawkstr2: Dear HawkEye Customers! 0x2246a8:$hawkstr2: Dear HawkEye Customers! 0x22480f:$hawkstr2: Dear HawkEye Customers! 0x2a4f20:$hawkstr2: Dear HawkEye Customers! 0x2a6571:$hawkstr2: Dear HawkEye Customers! 0x2a66c8:$hawkstr2: Dear HawkEye Customers! 0x2a682f:$hawkstr2: Dear HawkEye Customers! 0x223021:$hawkstr3: HawkEye Logger Details:
18.2.WindowsUpdate.exe.333ba6c.6.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x405d51:$key: HawkEyeKeylogger 0x487d71:$key: HawkEyeKeylogger 0x407fcf:$salt: 099u787978786 0x489fef:$salt: 099u787978786 0x4063ae:$string1: HawkEye_Keylogger 0x407201:$string1: HawkEye_Keylogger 0x407f2f:$string1: HawkEye_Keylogger 0x4883ce:$string1: HawkEye_Keylogger 0x489221:$string1: HawkEye_Keylogger 0x489f4f:$string1: HawkEye_Keylogger 0x406797:$string2: holdermail.txt 0x4067b7:$string2: holdermail.txt 0x4887b7:$string2: holdermail.txt 0x4887d7:$string2: holdermail.txt 0x4066d9:$string3: wallet.dat 0x4066f1:$string3: wallet.dat 0x406707:$string3: wallet.dat 0x4886f9:$string3: wallet.dat 0x488711:$string3: wallet.dat 0x488727:$string3: wallet.dat 0x407af3:$string4: Keylog Records
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x39191b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x41393b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x406406:$hawkstr1: HawkEye Keylogger 0x407247:$hawkstr1: HawkEye Keylogger 0x407576:$hawkstr1: HawkEye Keylogger 0x4076d1:$hawkstr1: HawkEye Keylogger 0x407834:$hawkstr1: HawkEye Keylogger 0x407acb:$hawkstr1: HawkEye Keylogger 0x488426:$hawkstr1: HawkEye Keylogger 0x489267:$hawkstr1: HawkEye Keylogger 0x489596:$hawkstr1: HawkEye Keylogger 0x4896f1:$hawkstr1: HawkEye Keylogger 0x489854:$hawkstr1: HawkEye Keylogger 0x489aeb:$hawkstr1: HawkEye Keylogger 0x405f78:$hawkstr2: Dear HawkEye Customers! 0x4075c9:$hawkstr2: Dear HawkEye Customers! 0x407720:$hawkstr2: Dear HawkEye Customers! 0x407887:$hawkstr2: Dear HawkEye Customers! 0x487f98:$hawkstr2: Dear HawkEye Customers! 0x4895e9:$hawkstr2: Dear HawkEye Customers! 0x489740:$hawkstr2: Dear HawkEye Customers! 0x4898a7:$hawkstr2: Dear HawkEye Customers! 0x406099:$hawkstr3: HawkEye Logger Details:
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x405d51:$key: HawkEyeKeylogger 0x487d71:$key: HawkEyeKeylogger 0x407fcf:$salt: 099u787978786 0x489fef:$salt: 099u787978786 0x4063ae:$string1: HawkEye_Keylogger 0x407201:$string1: HawkEye_Keylogger 0x407f2f:$string1: HawkEye_Keylogger 0x4883ce:$string1: HawkEye_Keylogger 0x489221:$string1: HawkEye_Keylogger 0x489f4f:$string1: HawkEye_Keylogger 0x406797:$string2: holdermail.txt 0x4067b7:$string2: holdermail.txt 0x4887b7:$string2: holdermail.txt 0x4887d7:$string2: holdermail.txt 0x4066d9:$string3: wallet.dat 0x4066f1:$string3: wallet.dat 0x406707:$string3: wallet.dat 0x4886f9:$string3: wallet.dat 0x488711:$string3: wallet.dat 0x488727:$string3: wallet.dat 0x407af3:$string4: Keylog Records
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x39191b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x41393b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x406406:$hawkstr1: HawkEye Keylogger 0x407247:$hawkstr1: HawkEye Keylogger 0x407576:$hawkstr1: HawkEye Keylogger 0x4076d1:$hawkstr1: HawkEye Keylogger 0x407834:$hawkstr1: HawkEye Keylogger 0x407acb:$hawkstr1: HawkEye Keylogger 0x488426:$hawkstr1: HawkEye Keylogger 0x489267:$hawkstr1: HawkEye Keylogger 0x489596:$hawkstr1: HawkEye Keylogger 0x4896f1:$hawkstr1: HawkEye Keylogger 0x489854:$hawkstr1: HawkEye Keylogger 0x489aeb:$hawkstr1: HawkEye Keylogger 0x405f78:$hawkstr2: Dear HawkEye Customers! 0x4075c9:$hawkstr2: Dear HawkEye Customers! 0x407720:$hawkstr2: Dear HawkEye Customers! 0x407887:$hawkstr2: Dear HawkEye Customers! 0x487f98:$hawkstr2: Dear HawkEye Customers! 0x4895e9:$hawkstr2: Dear HawkEye Customers! 0x489740:$hawkstr2: Dear HawkEye Customers! 0x4898a7:$hawkstr2: Dear HawkEye Customers! 0x406099:$hawkstr3: HawkEye Logger Details:
Click to see the 622 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Machine Learning detection for sample

Show sources

Source: NEW PO.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Joe Sandbox ML: detected

Source: 16.0.WindowsUpdate.exe.400000.6.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.6.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.1.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.0.WindowsUpdate.exe.400000.21.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.21.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.11.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.11.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.NEW PO.exe.474fbd0.5.unpack	Avira: Label: TR/Inject.vcoldi
Source: 7.0.NEW PO.exe.400000.6.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.6.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.26.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.26.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.16.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.16.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.4.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.1.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.38.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.38.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.11.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.11.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.4.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.4.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack	Avira: Label: TR/Inject.vcoldi
Source: 16.0.WindowsUpdate.exe.400000.4.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.4.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.6.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.6.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.4.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.37.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.37.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.21.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.21.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.16.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.16.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.21.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.21.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack	Avira: Label: TR/Inject.vcoldi
Source: 16.0.WindowsUpdate.exe.400000.11.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.11.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.0.WindowsUpdate.exe.400000.16.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.16.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.26.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.26.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.4.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.4.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.2.NEW PO.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.2.NEW PO.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473

Source: NEW PO.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: NEW PO.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: jPC:\Windows\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: ml.pdbZ source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb7 source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: symbols\dll\System.Runtime.Remoting.pdbd source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb} source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb_ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbY source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: WindowsUpdate.PDB- source: WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.pdb` source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb. source: NEW PO.exe, 00000007.00000002.366368381.00000000072C0000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbu source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbq source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbM source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbo source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbG source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: CMemoryExecute.pdb`*" source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: DWrite.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: NEW PO.exe, 00000007.00000002.366422934.00000000072F0000.00000004.00000001.sdmp
Source:	Binary string: gdiplus.pdbk source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: comctl32.pdbI source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: xecute.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb[ source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: rawing.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdbO source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: version.pdb{ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb~o{ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: CMemoryExecute.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb_ source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbU source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdbC source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366368381.00000000072C0000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: DWrite.pdbw source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: j0C:\Windows\mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbm source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp
Source:	Binary string: m'Xn.pdb source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source:	Binary string: wmswsock.pdbS source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb0 source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb= source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.340203819.00000000054C0000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: pnrpnsp.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbi source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: NEW PO.PDB source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366422934.00000000072F0000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: .pdbI source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: .pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: comctl32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdbA source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp

Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	Binary or memory string: [autorun]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,

Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 4x nop then jmp 04F7A630h
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 4x nop then jmp 04F7A630h
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]

Networking:

May check the online IP address of the machine

Show sources

Source: C:\Users\user\Desktop\NEW PO.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	DNS query: name: whatismyipaddress.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.3:49749 -> 194.152.32.10:587

Source: global traffic

TCP traffic: 192.168.2.3:49749 -> 194.152.32.10:587

Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.394923991.0000000007AC6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: NEW PO.exe, 00000007.00000000.319973922.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000002.358784291.0000000004DC2000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.439124560.0000000007B0D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: WerFault.exe, 0000000D.00000002.358784291.0000000004DC2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: WindowsUpdate.exe, 00000010.00000002.359439009.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: http://foo.com/foo
Source: NEW PO.exe, 00000007.00000000.317987714.0000000002D82000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.391767128.00000000035AF000.00000004.00000001.sdmp	String found in binary or memory: http://mail.inbox.lv
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.394923991.0000000007AC6000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: NEW PO.exe, 00000007.00000000.312878482.0000000002AA1000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.359439009.0000000002C41000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: NEW PO.exe, 00000007.00000000.317839856.0000000002D35000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.399808346.0000000003566000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com
Source: NEW PO.exe, 00000007.00000000.317321122.0000000002B0B000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.390946252.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: NEW PO.exe, 00000007.00000000.313150769.0000000002D3E000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.399808346.0000000003566000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com4
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: NEW PO.exe, 00000000.00000002.296655248.000000000336A000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.357016528.0000000002C4C000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: vbc.exe, 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: WindowsUpdate.exe, 00000012.00000000.390946252.000000000333C000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.435099803.00000000032D1000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe, 0000000A.00000003.329276630.000000000059D000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000003.329666537.0000000002871000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415728585.0000000002941000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 0000000A.00000003.329353144.0000000002963000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415661775.0000000002A36000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0

Source: unknown

DNS traffic detected: queries for: whatismyipaddress.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 28 Oct 2021 12:43:11 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTServer: cloudflareCF-RAY: 6a543f9218035b86-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 28 Oct 2021 12:43:47 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTServer: cloudflareCF-RAY: 6a5440731a042c52-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020

Source: vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp	String found in binary or memory: 8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.facebook.com (Facebook)
Source: vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp	String found in binary or memory: 8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.yahoo.com (Yahoo)
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp	String found in binary or memory: me=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp	String found in binary or memory: me=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.yahoo.com (Yahoo)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.318319979.0000000002DF6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.392059792.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.317941479.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313223758.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313404967.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.400644306.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.362383688.0000000002B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\NEW PO.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NEW PO.exe
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	.Net Code: HookKeyboard

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\Desktop\NEW PO.exe

Code function: 7_2_07A605A4 SetWindowsHookExA 0000000D,00000000,?,?

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,

Source: WindowsUpdate.exe, 0000000F.00000002.355381618.0000000000FD8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\NEW PO.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\NEW PO.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 2424

Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 0_2_0318D2F4
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 0_2_03187758
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 0_2_03187748
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_00DEB29C
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_00DEC310
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_00DEB290
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_00DE99D0
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_00DEDFD0
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_072BB5A0
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_072BB258
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_072B0040
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_072BEF88
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_072BBE70
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_072B001F
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_07A62788
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_07A61FD0
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_07A634D0
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_07A6B180
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00411F99
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00404F4E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_00FBD2F4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_00FB7758
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_00FB7748
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_050D0006
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_050D0040
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_050DE928
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_050DE938
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_0114B29C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_0114C310
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_0114B290
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_011499D0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_0114DFD0

Source: NEW PO.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 7.0.NEW PO.exe.2d9bffc.45.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.2afd174.43.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.7ee0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.8660000.48.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.35f1ffc.44.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.8640000.9.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.7ee0000.49.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.7ee0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.2af76d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.332d36c.31.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.8640000.35.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.35e4248.43.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.8640000.47.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2afd174.31.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2d94168.32.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.35e4248.32.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.8660000.10.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.2acb1c8.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.332d36c.42.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.7c60000.36.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2d94168.44.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.7c60000.9.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.32fb060.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2d9bffc.33.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.8660000.36.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.7c60000.48.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.333ba6c.6.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.439571003.0000000008640000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.395440509.0000000008660000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000000.395401347.0000000008640000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.366905535.0000000007C60000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.408411000.0000000008640000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.315132026.0000000007C60000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.315200782.0000000007EE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000000.408464737.0000000008660000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.439615340.0000000008660000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.367050092.0000000007EE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.320411963.0000000007C60000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs NEW PO.exe
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs NEW PO.exe
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs NEW PO.exe
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs NEW PO.exe
Source: NEW PO.exe, 00000000.00000002.296655248.000000000336A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTaskNode.dll4 vs NEW PO.exe
Source: NEW PO.exe, 00000000.00000002.295510241.0000000000F70000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCLRSurrogateEnt.exeH vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.290440235.00000000006C0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCLRSurrogateEnt.exeH vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.293949703.0000000000482000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.316678643.0000000000DFA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs NEW PO.exe

Source: NEW PO.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WindowsUpdate.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: NEW PO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NEW PO.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW PO.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@22/22@4/4

Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()

Source: NEW PO.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,

Source: C:\Users\user\Desktop\NEW PO.exe

File read: C:\Users\user\Desktop\NEW PO.exe

Jump to behavior

Source: C:\Users\user\Desktop\NEW PO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\NEW PO.exe 'C:\Users\user\Desktop\NEW PO.exe'
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Users\user\Desktop\NEW PO.exe C:\Users\user\Desktop\NEW PO.exe
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 2424
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Users\user\Desktop\NEW PO.exe C:\Users\user\Desktop\NEW PO.exe
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412

Source: C:\Users\user\Desktop\NEW PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: C:\Users\user\Desktop\NEW PO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

File created: C:\Users\user\AppData\Local\Temp\bhvF8EB.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\Desktop\NEW PO.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\NEW PO.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,

Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6044
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3996

Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\Desktop\NEW PO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\NEW PO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: NEW PO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: NEW PO.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: jPC:\Windows\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: ml.pdbZ source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb7 source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: symbols\dll\System.Runtime.Remoting.pdbd source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb} source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb_ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbY source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: WindowsUpdate.PDB- source: WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.pdb` source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb. source: NEW PO.exe, 00000007.00000002.366368381.00000000072C0000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbu source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbq source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbM source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbo source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbG source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: CMemoryExecute.pdb`*" source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: DWrite.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: NEW PO.exe, 00000007.00000002.366422934.00000000072F0000.00000004.00000001.sdmp
Source:	Binary string: gdiplus.pdbk source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: comctl32.pdbI source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: xecute.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb[ source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: rawing.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdbO source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: version.pdb{ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb~o{ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: CMemoryExecute.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb_ source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbU source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdbC source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366368381.00000000072C0000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: DWrite.pdbw source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: j0C:\Windows\mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbm source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp
Source:	Binary string: m'Xn.pdb source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source:	Binary string: wmswsock.pdbS source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb0 source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb= source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.340203819.00000000054C0000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: pnrpnsp.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbi source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: NEW PO.PDB source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366422934.00000000072F0000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: .pdbI source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: .pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: comctl32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdbA source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 0_2_00EB7A8C pushfd ; ret
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 0_2_0318F278 push esp; retf
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_00607A8C pushfd ; ret
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_00DEE674 push esp; ret
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_04F7AC12 pushfd ; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00442871 push ecx; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00442A90 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00442A90 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00446E54 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00411879 push ecx; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_004118A0 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_004118A0 push eax; ret
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_00787A8C pushfd ; ret
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_00FBF278 push esp; retf
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_050D7118 push eax; retn 050Bh
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_050D8822 push esp; iretd
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_00717A8C pushfd ; ret
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_011441E3 push edi; retn 0002h
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_0114E673 push esp; ret

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: initial sample	Static PE information: section name: .text entropy: 7.88873846261
Source: initial sample	Static PE information: section name: .text entropy: 7.88873846261

Source: C:\Users\user\Desktop\NEW PO.exe

File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Jump to dropped file

Source: C:\Users\user\Desktop\NEW PO.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update			Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Changes the view of files in windows explorer (hidden files and folders)

Show sources

Source: C:\Users\user\Desktop\NEW PO.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.NEW PO.exe.33497d4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.2c2982c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.319982c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.296608068.0000000003321000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.356792870.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: NEW PO.exe, 00000000.00000002.296608068.0000000003321000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.356792870.0000000002C01000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: NEW PO.exe, 00000000.00000002.296608068.0000000003321000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.356792870.0000000002C01000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\NEW PO.exe TID: 7160	Thread sleep time: -42920s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 6012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 6492	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 6484	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 6504	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -99640s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -99324s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -99140s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -98867s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -98429s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -98325s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -98203s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -98094s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -97922s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -97240s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -97115s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96984s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96859s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96750s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96625s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96515s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96390s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96281s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96172s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -95890s >= -30000s
Source: C:\Users\user\Desktop\NEW PO.exe TID: 5784	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 3348	Thread sleep time: -38078s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 3324	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 3952	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 1860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4140	Thread sleep time: -36592s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 2808	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4564	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6448	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -99703s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -99093s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -98928s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -98426s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -98297s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -98156s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -98046s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97921s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97703s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97593s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97484s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97375s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97265s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97156s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97046s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6016	Thread sleep time: -180000s >= -30000s

Source: C:\Users\user\Desktop\NEW PO.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 180000

Source: C:\Users\user\Desktop\NEW PO.exe	Window / User API: threadDelayed 742
Source: C:\Users\user\Desktop\NEW PO.exe	Window / User API: threadDelayed 1030
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Window / User API: threadDelayed 1274

Source: C:\Users\user\Desktop\NEW PO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 42920
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 120000
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 140000
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 99640
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 99437
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 99324
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 99140
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 99000
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 98867
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 98429
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 98325
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 98203
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 98094
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 97922
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 97240
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 97115
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96984
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96859
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96750
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96625
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96515
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96390
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96281
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96172
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 95890
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 38078
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 36592
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 120000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 140000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 99703
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 99093
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 98928
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 98426
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 98297
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 98156
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 98046
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97921
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97812
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97703
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97593
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97484
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97375
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97265
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97156
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97046
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 180000

Source: WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: NEW PO.exe, 00000000.00000003.294779482.00000000080E0000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000003.353245036.0000000007330000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000003.370785352.0000000007460000.00000004.00000001.sdmp	Binary or memory string: QEmu.
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	Binary or memory string: +QEmu
Source: WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: NEW PO.exe, 00000007.00000000.316706210.0000000000E25000.00000004.00000020.sdmp, WindowsUpdate.exe, 00000010.00000002.358757516.0000000000E77000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\NEW PO.exe

Process information queried: ProcessInformation

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_004161B0 memset,GetSystemInfo,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\NEW PO.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\NEW PO.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412

Source: C:\Users\user\Desktop\NEW PO.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\NEW PO.exe

Code function: 7_2_07A65190 LdrInitializeThunk,

Source: C:\Users\user\Desktop\NEW PO.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\NEW PO.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\NEW PO.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000

.NET source code references suspicious native API functions

Show sources

Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.11.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.6.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.38.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.21.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.16.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.26.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.4.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.2.NEW PO.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')

Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Users\user\Desktop\NEW PO.exe C:\Users\user\Desktop\NEW PO.exe
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412

Source: NEW PO.exe, 00000007.00000000.317050619.0000000001540000.00000002.00020000.sdmp, WindowsUpdate.exe, 00000012.00000000.397848974.0000000001BD0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: NEW PO.exe, 00000007.00000000.317050619.0000000001540000.00000002.00020000.sdmp, WindowsUpdate.exe, 00000012.00000000.397848974.0000000001BD0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: NEW PO.exe, 00000007.00000000.317050619.0000000001540000.00000002.00020000.sdmp, WindowsUpdate.exe, 00000012.00000000.397848974.0000000001BD0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: NEW PO.exe, 00000007.00000000.317050619.0000000001540000.00000002.00020000.sdmp, WindowsUpdate.exe, 00000012.00000000.397848974.0000000001BD0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Users\user\Desktop\NEW PO.exe VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Users\user\Desktop\NEW PO.exe VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\NEW PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 11_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_00407674 GetVersionExW,

Source: C:\Users\user\Desktop\NEW PO.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\NEW PO.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.394809421.0000000007A70000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: NEW PO.exe, 00000007.00000000.319830078.00000000072C0000.00000004.00000001.sdmp	Binary or memory string: Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected MailPassView

Show sources

Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.29.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42d9930.33.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.40.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.42d9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.45fa72.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.24.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3aa9930.46.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3aa9930.46.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.42d9930.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.38.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.3aa9930.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42d9930.33.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42d9930.45.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42d9930.45.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3aa9930.35.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.45fa72.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.45fa72.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.3aa9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3aa9930.35.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.29.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313426139.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.436080566.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.319742971.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.318371710.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.320558066.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.320160730.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.404452957.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.392382903.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.402038118.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.401599576.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.364013571.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5076, type: MEMORYSTR

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.318319979.0000000002DF6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.392059792.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.317941479.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313223758.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313404967.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.400644306.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.362383688.0000000002B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Yara detected WebBrowserPassView password recovery tool

Show sources

Source: Yara match	File source: 22.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.39.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.39.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.3ac2370.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42d9930.33.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.409c0d.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42f2370.34.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.27.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.42d9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3aa9930.46.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3ac2370.47.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42f2370.46.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.27.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.3ac2370.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.409c0d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.42f2370.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3ac2370.34.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42d9930.45.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42f2370.34.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3ac2370.34.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.42f2370.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.409c0d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.24.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3aa9930.35.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.3aa9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3ac2370.47.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42f2370.46.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313426139.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.420264771.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.398239322.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.317013131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.436080566.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.318371710.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.399210452.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.316648058.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.392382903.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.364013571.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6828, type: MEMORYSTR

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

Remote Access Functionality:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.318319979.0000000002DF6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.392059792.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.317941479.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313223758.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313404967.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.400644306.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.362383688.0000000002B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR

Detected HawkEye Rat

Show sources

Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: NEW PO.exe, 00000007.00000000.317321122.0000000002B0B000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: NEW PO.exe, 00000007.00000002.362334776.0000000002AEF000.00000004.00000001.sdmp	String found in binary or memory: Om"HawkEye_Keylogger_Stealer_Records_
Source: NEW PO.exe, 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp	String found in binary or memory: Om&HawkEye_Keylogger_Execution_Confirmed_
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp	String found in binary or memory: Om&HawkEye_Keylogger_Execution_Confirmed_
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp	String found in binary or memory: Om"HawkEye_Keylogger_Stealer_Records_

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation21	Application Shimming1	Application Shimming1	Disable or Modify Tools11	OS Credential Dumping1	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API11	Registry Run Keys / Startup Folder1	Process Injection312	Deobfuscate/Decode Files or Information11	Input Capture311	Peripheral Device Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Obfuscated Files or Information41	Credentials in Registry2	Account Discovery1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing13	Credentials In Files1	File and Directory Discovery1	Distributed Component Object Model	Input Capture311	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	System Information Discovery19	SSH	Clipboard Data2	Data Transfer Size Limits	Non-Application Layer Protocol3	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion41	Cached Domain Credentials	Query Registry1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol13	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection312	DCSync	Security Software Discovery151	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Virtualization/Sandbox Evasion41	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Process Discovery4	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Application Window Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Owner/User Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	Remote System Discovery1	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery
Compromise Hardware Supply Chain	Visual Basic	Scheduled Task	Scheduled Task	Masquerade Task or Service	GUI Input Capture	System Network Configuration Discovery1	Exploitation of Remote Services	Email Collection	Commonly Used Port	Proxy			Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NEW PO.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
16.0.WindowsUpdate.exe.400000.6.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
16.0.WindowsUpdate.exe.400000.6.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
22.0.vbc.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
10.0.vbc.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
11.0.vbc.exe.400000.3.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
11.0.vbc.exe.400000.1.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
16.0.WindowsUpdate.exe.400000.21.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
16.0.WindowsUpdate.exe.400000.21.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
18.2.WindowsUpdate.exe.400000.0.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.2.WindowsUpdate.exe.400000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
16.2.WindowsUpdate.exe.400000.0.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
16.2.WindowsUpdate.exe.400000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
7.0.NEW PO.exe.400000.11.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.0.NEW PO.exe.400000.11.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
0.2.NEW PO.exe.474fbd0.5.unpack	100%	Avira	TR/Inject.vcoldi	Download File
7.0.NEW PO.exe.400000.6.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.0.NEW PO.exe.400000.6.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
18.0.WindowsUpdate.exe.400000.26.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.0.WindowsUpdate.exe.400000.26.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
18.0.WindowsUpdate.exe.400000.16.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.0.WindowsUpdate.exe.400000.16.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
22.0.vbc.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
23.0.vbc.exe.400000.3.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
23.0.vbc.exe.400000.2.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
11.0.vbc.exe.400000.4.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
23.0.vbc.exe.400000.1.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
22.0.vbc.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
7.0.NEW PO.exe.400000.38.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.0.NEW PO.exe.400000.38.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
18.0.WindowsUpdate.exe.400000.11.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.0.WindowsUpdate.exe.400000.11.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
23.0.vbc.exe.400000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
18.0.WindowsUpdate.exe.400000.4.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.0.WindowsUpdate.exe.400000.4.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
17.2.WindowsUpdate.exe.459fbd0.4.unpack	100%	Avira	TR/Inject.vcoldi	Download File
16.0.WindowsUpdate.exe.400000.4.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
16.0.WindowsUpdate.exe.400000.4.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
11.0.vbc.exe.400000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
11.0.vbc.exe.400000.2.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
10.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
10.0.vbc.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
10.0.vbc.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
10.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
22.0.vbc.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
18.0.WindowsUpdate.exe.400000.6.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.0.WindowsUpdate.exe.400000.6.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
23.0.vbc.exe.400000.4.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
18.0.WindowsUpdate.exe.400000.37.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.0.WindowsUpdate.exe.400000.37.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
7.0.NEW PO.exe.400000.21.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.0.NEW PO.exe.400000.21.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
22.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
22.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
7.0.NEW PO.exe.400000.16.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.0.NEW PO.exe.400000.16.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
18.0.WindowsUpdate.exe.400000.21.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.0.WindowsUpdate.exe.400000.21.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
15.2.WindowsUpdate.exe.402fbd0.5.unpack	100%	Avira	TR/Inject.vcoldi	Download File
16.0.WindowsUpdate.exe.400000.11.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
16.0.WindowsUpdate.exe.400000.11.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
16.0.WindowsUpdate.exe.400000.16.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
16.0.WindowsUpdate.exe.400000.16.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
10.0.vbc.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
7.0.NEW PO.exe.400000.26.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.0.NEW PO.exe.400000.26.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
7.0.NEW PO.exe.400000.4.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.0.NEW PO.exe.400000.4.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
7.2.NEW PO.exe.400000.0.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.2.NEW PO.exe.400000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://whatismyipaddress.com4	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.collada.org/2005/11/COLLADASchema9Done	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://foo.com/foo	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
whatismyipaddress.com	104.16.155.36	true	false		high
mail.inbox.lv	194.152.32.10	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://whatismyipaddress.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
http://mail.inbox.lv	NEW PO.exe, 00000007.00000000.317987714.0000000002D82000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.391767128.00000000035AF000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers?	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
http://whatismyipaddress.com4	NEW PO.exe, 00000007.00000000.313150769.0000000002D3E000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.399808346.0000000003566000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png	vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	false		high
http://www.tiro.com	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://www.collada.org/2005/11/COLLADASchema9Done	NEW PO.exe, 00000000.00000002.296655248.000000000336A000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.357016528.0000000002C4C000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=	vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/chrome/	vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	false		high
http://www.typography.netD	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e	vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehp	vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166	vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	false		high
http://whatismyipaddress.com/-	NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://login.yahoo.com/config/login	vbc.exe	false		high
http://www.fonts.com	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.site.com/logs.php	WindowsUpdate.exe, 00000012.00000000.390946252.000000000333C000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.435099803.00000000032D1000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c	vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp	false		high
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0	vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	false		high
http://www.urwpp.deDPlease	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.nirsoft.net/	vbc.exe, 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp	false		high
http://www.zhongyicts.com.cn	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&	vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	NEW PO.exe, 00000007.00000000.312878482.0000000002AA1000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.359439009.0000000002C41000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
https://sectigo.com/CPS0	NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt	vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://whatismyipaddress.com	NEW PO.exe, 00000007.00000000.317839856.0000000002D35000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.399808346.0000000003566000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://foo.com/foo	WindowsUpdate.exe, 00000010.00000002.359439009.0000000002C41000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/de-ch/?ocid=iehp	vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674	vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1	vbc.exe, 0000000A.00000003.329353144.0000000002963000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415661775.0000000002A36000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
https://www.google.com/accounts/servicelogin	vbc.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g	vbc.exe, 0000000A.00000003.329276630.000000000059D000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000003.329666537.0000000002871000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415728585.0000000002941000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.152.32.10	mail.inbox.lv	Latvia		12993	DEAC-ASLV	false
104.16.155.36	whatismyipaddress.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	511007
Start date:	28.10.2021
Start time:	14:42:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 18s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	NEW PO.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@22/22@4/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.6% (good quality ratio 2.2%) Quality average: 69% Quality standard deviation: 36.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.82.210.154, 40.126.31.139, 40.126.31.1, 40.126.31.137, 40.126.31.141, 20.190.159.134, 40.126.31.4, 40.126.31.6, 20.190.159.136, 104.208.16.94, 13.107.4.50, 20.199.120.85, 20.199.120.151, 52.251.79.25, 20.54.110.249, 80.67.82.235, 80.67.82.211, 40.91.112.76, 40.112.88.60, 20.199.120.182, 52.182.143.212 Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, b1ns.c-0001.c-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, b1ns.au-msedge.net, onedsblobprdcus16.centralus.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:43:04	API Interceptor	30x Sleep call for process: NEW PO.exe modified
14:43:16	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
14:43:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
14:43:27	API Interceptor	25x Sleep call for process: WindowsUpdate.exe modified
14:43:35	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NEW PO.exe_8055783c936bcb979ba1bb535241e11f1ba84c43_9f8533cf_1bd60d79\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.315991209012618
Encrypted:	false
SSDEEP:	192:8vGZVHBUZMXyaPXUlXK8zIUGrf/u7sjS274Itw9:kGbBUZMXyascf/u7sjX4Itw9
MD5:	4BF5AECA5BB4D456B80A0893C8B0A06F
SHA1:	2A6B42F5FBFE0D2C9B0A9F6197A718071C0787FF
SHA-256:	7600030D4651A32743C99EAF12CD95408762D31B91EEF6CCA2B670C285BD5669
SHA-512:	0FB1526C720E879D40A7C3C94716B9259930D7FB02EBDCB7A6AC27F7AFB5A5D61242243BE2E9996BD457327609EA848F7A9AAC422D35A8A14131AA833A9046E8
Malicious:	true
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.9.3.1.0.0.3.0.0.9.3.0.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.9.3.1.0.1.3.8.0.6.1.5.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.a.b.a.d.0.0.-.5.f.f.2.-.4.5.5.a.-.9.9.d.6.-.e.8.d.8.0.7.9.5.1.1.3.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.0.6.2.2.4.2.-.7.d.6.5.-.4.7.3.0.-.9.1.9.2.-.f.c.f.a.1.a.1.d.0.d.1.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.N.E.W. .P.O...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.L.R.S.u.r.r.o.g.a.t.e.E.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.9.c.-.0.0.0.1.-.0.0.1.c.-.1.b.b.b.-.0.e.c.a.4.4.c.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.5.a.5.0.3.3.1.0.1.f.6.3.6.c.0.6.3.d.c.0.6.b.9.d.b.8.1.0.7.0.f.0.0.0.0.0.0.0.0.!.0.0.0.0.e.d.9.6.d.1.7.9.4.0.3.a.b.3.1.9.d.a.6.2.c.0.9.2.a.8.1.7.a.5.e.b.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WindowsUpdate.ex_f9725cf91236fb8dfe1d0104b8abc11733cfe3b_2f3b6c15_171ed716\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.317492010859222
Encrypted:	false
SSDEEP:	192:7OPtFZVHBUZMXSaPXUlXK8zIUGrq/u7sjS274ItT:stFbBUZMXSascq/u7sjX4ItT
MD5:	B1FA9A9909F2FC460215410189DAD479
SHA1:	3593C650A86C5CE4F8DC6C624E710C9F78C2A3AB
SHA-256:	B60A4E81770237FFD38D5061B828D2D1D07A1FA7F31EA576473D72A0BFAC0E76
SHA-512:	24863AE1A8EA8411BDBB89ED9EFDD2DD7FDDD7589387A9467D06D8D53EA177EF3656DC2243FD08468204B56D9916F05F509679329A792FCCC1813D97E24B1AC1
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.9.3.1.0.4.0.7.0.0.2.6.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.9.3.1.0.5.0.5.4.4.0.0.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.3.e.0.c.b.9.-.3.e.6.2.-.4.a.3.4.-.8.6.9.3.-.e.a.8.7.1.d.f.f.6.d.8.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.b.7.3.2.f.2.-.0.3.a.6.-.4.c.3.5.-.a.4.b.4.-.1.d.d.f.7.7.7.a.0.d.f.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.i.n.d.o.w.s.U.p.d.a.t.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.L.R.S.u.r.r.o.g.a.t.e.E.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.9.c.-.0.0.0.1.-.0.0.1.c.-.f.d.9.d.-.5.4.d.e.4.4.c.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.5.a.5.0.3.3.1.0.1.f.6.3.6.c.0.6.3.d.c.0.6.b.9.d.b.8.1.0.7.0.f.0.0.0.0.0.0.0.0.!.0.0.0.0.e.d.9.6.d.1.7.9.4.0.3.a.b.3.1.9.d.a.6.2.c.0.9.2.a.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6775.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Oct 28 21:43:27 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	449964
Entropy (8bit):	3.6035865303609618
Encrypted:	false
SSDEEP:	3072:DmVJqTllF9gIOgF5wSw10pi9UCgUVIYYFx3oNTwegf0Yr9xjd+pMBlRZwD72p:DuqTllF9RpD2xTjKQceC0YrQp
MD5:	EA0FD51B403912177C2B26EBDD1A5AB1
SHA1:	DD8B91956C56A71A99A95EB18CD8C6BA56C21AB2
SHA-256:	3D5B6410713940502934605B857F2F358ADA5C3F8211C4B803594B6E2CBEAA42
SHA-512:	155D054675CF0872A8C98BDF0789506801A99E86C44A00E8656D07510E33BDFF262AE166CCF89500445202D983DDC3D5FE5BAF7CBEA8C40F8A85106AE050A0A5
Malicious:	false
Reputation:	unknown
Preview:	MDMP....... .........{a............T............%..h.......<...d1.......=..............`.......8...........T............]...............1...........3...................................................................U...........B......$4......GenuineIntelW...........T...........i.{a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FB2.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8336
Entropy (8bit):	3.689893445241779
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiEG6lo/6Yno6RgmfZPgSRCprx89bXysf69m:RrlsNit6C6Yo6RgmfRgSnXxfZ
MD5:	CFC0F3B85C65720723980E8C1DA197F6
SHA1:	0AE9AC449498FA019FB696E799C5081AEAADF187
SHA-256:	0EDA42A1EB6F0C2030499A5E30895E07DB3C26B92D644E7A5DBCDEB51ACF10DE
SHA-512:	BFAB105DAEEEB2650BA354521C3F46D5D6596C2170EEE3F9A9793869B213F4525FE0DEC6362A1213B22C687B90E070E659E88BF724A3435AC6866FC57FCB08DA
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.4.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER836C.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	4.4547449585238095
Encrypted:	false
SSDEEP:	48:cvIwSD8zsSJgtWI9FJWSC8By8fm8M4JpPWlFy+q8v4PWQe7W6Zkd:uITfgK4SNNJZKAe7WUkd
MD5:	E5DBAA3FCC088650C247209B16E6D90D
SHA1:	2E57CEBC70AD7DE1CF396C0C07280EBFBF290FFE
SHA-256:	05E0F0403A6D803BACE005ABE0255FF2D915E79B3CF64C2C84EBBC2673266914
SHA-512:	40238DFE9C4824AE636196FC2381ED06F987B107C7AB3D00F8743B84BD45021EEC4F19EE8EFDD940F2E18C93F8FE009C220A2D65E38817A048F70E244C46945D
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1230174" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERACBA.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Oct 28 21:44:02 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	439718
Entropy (8bit):	3.7315579748248786
Encrypted:	false
SSDEEP:	3072:xvm3oH9BGjx9gIOgF5zGRyApw0VmUCgUityZdBrvLuWozt/L2Vc0Cjd+peQ7bU/o:xldBG99RpDaPpwhTjZTKR0vpyFe
MD5:	FC30AAB9F9F32DA48F184F0CCA49188B
SHA1:	DC73378F02E183142F72A31583C1C7B40ACE0762
SHA-256:	8155D5002069C5C3C96F62E6581C9411CFBBA02DF8A968831E32A27743FC5233
SHA-512:	DC84C89587A42959806840EF7FECBA1ECB215127F7557E9E63B213D582149408F17913CFDBD8F9774CF8552B3E0566B6353BAFAD114B84F17189F4C7E030CCA0
Malicious:	false
Reputation:	unknown
Preview:	MDMP....... .........{a............$............%..8.......$....0.......;..b~..........`.......8...........T............\...Y...........0...........2...................................................................U...........B......p3......GenuineIntelW...........T.............{a............................. ..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE20.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8368
Entropy (8bit):	3.6864794615673935
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqY6PL6Yx36qFRgmfZYgSRCprg89b+ZsfGWKm:RrlsNi96D6YR6qFRgmfSgSU+yfGy
MD5:	650062C22FF749C2444559315E871C75
SHA1:	944F516F87F3DBC9A309BE538F685AB7B0F8C0E0
SHA-256:	5139AC177A5C63F4F4A0C9CD9CB26BA1A316A7ED4EB7AAFF776AED1B2B545BAD
SHA-512:	BF536FAF04DF0F997590FED0494DF9BD60758406FF6E8BA545B361CC31DE26102093342993DEF3280E39C459974B4649CF8B41BBE921B97DAF9942B2B9782D9D
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.9.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC48A.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4755
Entropy (8bit):	4.461257300281675
Encrypted:	false
SSDEEP:	48:cvIwSD8zsSJgtWI9FJWSC8BX8fm8M4JZPWlFw9+q8vnPW3eadoZkd:uITfgK4SNyJZKueadSkd
MD5:	478C37E58C9ED9F7B169C268F097CEF6
SHA1:	51A1BE08A636F85E1A5F76DE8FF353C069F25986
SHA-256:	4A78098278530B111978CDE087D9AD979591F8CA0D2FB86849FB2AD0307869A6
SHA-512:	3B431CAE51FCD9013985FAC93A971ED0C8DDF9A0B9420EC4E84D43AFFAEFF76E79621197D9E86E58DB1450FA89F2B9493573D632C1AA7F2E9626C9DF07618F37
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1230174" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW PO.exe.log Download File
Process:	C:\Users\user\Desktop\NEW PO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WindowsUpdate.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\bhv94FC.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x0456f320, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	26738688
Entropy (8bit):	1.0515290357457872
Encrypted:	false
SSDEEP:	24576:dVqA2TaAxucRfDw/ND0Xko5QqbMgSFDb7uBi:uRfD3y
MD5:	5B2767DB09030D6BFA3DECDD780AA574
SHA1:	5A863841DFF01C3C305CFEB9C652D0E6B6976DB1
SHA-256:	C14996019A48718A5DB499651C737EB902699611C66087EB7B78EEC49FB7F09A
SHA-512:	EFB28E20C19138610139095BDD9A30F9B02459A5DC9ECBDFBCFEF6446C4A732BB19BD75B4800A66ED8DB10A273E42D47322770D209B01ADC2BB7A98E2DB99F61
Malicious:	false
Reputation:	unknown
Preview:	.V. ... .......F1.......te3....wg.......................o.....,...y..,...y..h.q.........................6..43....wI.............................................................................................Z............B.................................................................................................................. .......7*...y..........................................................................................................................................................................................................................................+...y.y.................,...+...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bhvF8EB.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x2e45d84b, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	26738688
Entropy (8bit):	1.0515137857335044
Encrypted:	false
SSDEEP:	24576:F7qA2TaAxucRfDw/ND0Xko5QqbMgSFDb7uBi:URfD3y
MD5:	3042CAAEE52655CA002C2960DBD44156
SHA1:	5294AF930E5AEEE2B024744DF918FFE768CB97C9
SHA-256:	7189E52085B69F651887B9B5DB9E3F9683BE94D5B247F7AE5B1A73B151E24858
SHA-512:	69727D18648F18396E00A8C08CEF2471F803305F62E203DDB155F45E3DD0522DE989E63E264F43874DC2C7A314BB35A4DF61A94E167040D341BF7ABC8A59710D
Malicious:	false
Reputation:	unknown
Preview:	.E.K... .......F1.......te3....wg.......................o.....,...y..,...y..h.q.........................6..43....wI.............................................................................................Z............B.................................................................................................................. .......7...y........................................................................................................................................................................................................................................D>7...y.y.................).J.*...y?.........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\holderwb.txt Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	unknown
Preview:	..

C:\Users\user\AppData\Roaming\WindowsUpdate.exe Download File
Process:	C:\Users\user\Desktop\NEW PO.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	774144
Entropy (8bit):	7.880107119214288
Encrypted:	false
SSDEEP:	12288:S1xn35Qfx7M5fMcm8FvLS3agsmMIFCnJGzhm0pIy4n8wmnPVMliAyZg5N44:Sz351JrFzeNIJGFBmy48ddMliRZg5N4
MD5:	770F6E88B7BF3FE3AAE144A5AA41DC96
SHA1:	ED96D179403AB319DA62C092A817A5EBEEA8C3DA
SHA-256:	08187BE5BB78DA6C7751C5D870D46E43E6B4204DB6ABF2CC2D80E9830FD136BA
SHA-512:	90D8F872263FBB46BC8E71BC7A370581F39DD1FE740E5972805D45C4BD8FB81E19E12D3154C3E694839F24AAD9A5E73ECBF381FA54DD399BF8E4145589C8DD19
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dnza..............0.................. ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........G..`.......C....:......................................................................?................................?................................?................................?............................................................................................................ .......@........................................................ .......@........................................................ .......@.....................................

C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\NEW PO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\pid.txt Download File
Process:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:bin:e
MD5:	43E04DD08BB1305428B0C9C8D8A2660A
SHA1:	426076EBC703102E66F5722E4ABF70B380EEC15E
SHA-256:	043B901F48C813CFB6C1BB34FF866F0F73E2690A8181DE6121A0278F31B6253D
SHA-512:	482A0846E3989C334C92CC587F123587D862BB97E69B4A57F06F96E973F2F9CEDC454DE83507D3A2B66DC72AD4B960373F93F09840A8BC4083884370C0D8376C
Malicious:	false
Reputation:	unknown
Preview:	3996

C:\Users\user\AppData\Roaming\pidloc.txt Download File
Process:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.387380345401073
Encrypted:	false
SSDEEP:	3:oNWXp5cViEaKC59KuCa:oNWXp+NaZ5v
MD5:	95FC50C7E40BB0D5EBD49FCBEE4E890D
SHA1:	E5086A9390CC8D6F512A206AB1AC4309A4CC4326
SHA-256:	DC88107DF527833D0D8B7AC45D31AF0E5343AE36AB9725016B046CDD77E46EC7
SHA-512:	4AC9E01163C00CC874BDBE1E4B5BF2463F8B53B9102705C774C790D8DFD8AEAD662DEDA812CF457022820FFD8174A1CD0275601C4BC6E4CCDB7E5A80CD52F799
Malicious:	false
Reputation:	unknown
Preview:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.277034631409952
Encrypted:	false
SSDEEP:	12288:9OeYHJvCquajLhOF82EwJG64uQpMVVXKTm6wzHnR/5sEFOLi8IQAhm:4eYHJvCquajLhOjd
MD5:	B9FEDE34538A4B64EABC43541461671D
SHA1:	2BE5E4F403EEFB0CD08619280408437F9471C164
SHA-256:	FB09EB2D2149D103F2B612E793913B92A270CD1B9B779C9CF61384686E9FAAB6
SHA-512:	0884950B4CEA35AB2F8D13E925DC9A48A12384497957A44E558042EC5D567EB4F8400C8636843EBADB9FFC66D4B7152C291A1D1DE097DBA95C666F84764DAF4E
Malicious:	false
Reputation:	unknown
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...D...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.217554824061032
Encrypted:	false
SSDEEP:	768:L20kdCQMwqhCrrC2i5ftx1aJ4Xw/FT7ABqXPeq5QMVyi6a54LXsuzxSNWv:LNfCCg38CREhL
MD5:	AD5FEEAF6306262EDDB4ACF5D8D346FB
SHA1:	D4E55BC73AA0CE125C35FA9D87F9D8233E88CEF6
SHA-256:	44232A8F8FB4C8CA684C7941CBEC62163EB822C9F6F53C1671CC3EA38AD89521
SHA-512:	F2AC2C9360957F9DFD458923C6F3AFB963E367E10D039C8E3BBD834D7E5758AB09DB2782CF46EA7903E09F9B1DBB4F97DB514500D3540ADF709DEE3C80CC37DA
Malicious:	false
Reputation:	unknown
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...D...................................................................................................................................................................................................................................................................................................................................................HvLE........Y...........Oyf.vA.k.L...8.......... ....... .......P.......0................... ..hbin................p.\..,..........nk,.%-..D................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .%-..D....... ........................... .......Z.......................Root........lf......Root....nk .%-..D....................}.............. ...............*...............DeviceCensus.......................vk..................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.880107119214288
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	NEW PO.exe
File size:	774144
MD5:	770f6e88b7bf3fe3aae144a5aa41dc96
SHA1:	ed96d179403ab319da62c092a817a5ebeea8c3da
SHA256:	08187be5bb78da6c7751c5d870d46e43e6b4204db6abf2cc2d80e9830fd136ba
SHA512:	90d8f872263fbb46bc8e71bc7a370581f39dd1fe740e5972805d45c4bd8fb81e19e12d3154c3e694839f24aad9a5e73ecbf381fa54dd399bf8e4145589c8dd19
SSDEEP:	12288:S1xn35Qfx7M5fMcm8FvLS3agsmMIFCnJGzhm0pIy4n8wmnPVMliAyZg5N44:Sz351JrFzeNIJGFBmy48ddMliRZg5N4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dnza..............0.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4be22e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x617A6E64 [Thu Oct 28 09:33:24 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbe1e0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x608	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbc234	0xbc400	False	0.923099269588	data	7.88873846261	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x608	0x800	False	0.328125	data	3.46210381505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc00a0	0x378	data
RT_MANIFEST	0xc0418	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright HP Inc. 2017
Assembly Version	1.0.0.0
InternalName	CLRSurrogateEnt.exe
FileVersion	1.0.0.0
CompanyName	HP Inc.
LegalTrademarks
Comments
ProductName	Lab_4_V1_2017_09_21
ProductVersion	1.0.0.0
FileDescription	Lab_4_V1_2017_09_21
OriginalFilename	CLRSurrogateEnt.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/28/21-14:43:11.069910	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49748	104.16.155.36	192.168.2.3
10/28/21-14:43:47.071824	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49757	104.16.155.36	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2021 14:43:11.019169092 CEST	49748	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:11.036216974 CEST	80	49748	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:11.036401987 CEST	49748	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:11.043543100 CEST	49748	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:11.060439110 CEST	80	49748	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:11.069910049 CEST	80	49748	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:11.123039007 CEST	49748	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:12.641005993 CEST	49748	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:12.660057068 CEST	80	49748	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:12.660156012 CEST	49748	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:12.891926050 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:12.934421062 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:12.934525967 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.111594915 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.118011951 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.160418034 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.160445929 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.162899017 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.205374002 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.209489107 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.263010025 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.418025017 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.461630106 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.465209961 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.465270042 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.465287924 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.465300083 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.465353966 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.507816076 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.560699940 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.564694881 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.608211994 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.653784037 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.951602936 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.994479895 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.995546103 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.038141966 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.038681030 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.087984085 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.088377953 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.131851912 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.132246971 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.177658081 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.178095102 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.227938890 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.229852915 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.229880095 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.229883909 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.230189085 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.272330046 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.272694111 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.328883886 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.372522116 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:41.588838100 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:47.024471045 CEST	49757	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:47.042136908 CEST	80	49757	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:47.042231083 CEST	49757	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:47.042749882 CEST	49757	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:47.059446096 CEST	80	49757	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:47.071824074 CEST	80	49757	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:47.125102043 CEST	49757	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:49.601188898 CEST	49757	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:49.619297028 CEST	80	49757	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:49.621902943 CEST	49757	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:49.746953964 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:49.789490938 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:49.789563894 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:51.831136942 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:51.837745905 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:51.880435944 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:51.880465031 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:51.880744934 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:51.923388004 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:51.923423052 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:51.969254017 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:51.969713926 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.012176037 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.012528896 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.012558937 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.012583017 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.012599945 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.012623072 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.012661934 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.055291891 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.063004971 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.106468916 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.156745911 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.180295944 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.228564978 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.229182005 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.272068977 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.272759914 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.334686041 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.335300922 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.378505945 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.380063057 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.424993038 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.425535917 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.479861975 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.498454094 CEST	49760	587	192.168.2.3	194.152.32.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2021 14:43:10.965198040 CEST	54154	53	192.168.2.3	8.8.8.8
Oct 28, 2021 14:43:10.990313053 CEST	53	54154	8.8.8.8	192.168.2.3
Oct 28, 2021 14:43:12.834615946 CEST	52806	53	192.168.2.3	8.8.8.8
Oct 28, 2021 14:43:12.853415966 CEST	53	52806	8.8.8.8	192.168.2.3
Oct 28, 2021 14:43:46.966675043 CEST	56009	53	192.168.2.3	8.8.8.8
Oct 28, 2021 14:43:46.989118099 CEST	53	56009	8.8.8.8	192.168.2.3
Oct 28, 2021 14:43:49.683657885 CEST	49572	53	192.168.2.3	8.8.8.8
Oct 28, 2021 14:43:49.702991962 CEST	53	49572	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 28, 2021 14:43:10.965198040 CEST	192.168.2.3	8.8.8.8	0x9e68	Standard query (0)	whatismyipaddress.com	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:12.834615946 CEST	192.168.2.3	8.8.8.8	0xc9ce	Standard query (0)	mail.inbox.lv	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:46.966675043 CEST	192.168.2.3	8.8.8.8	0xae52	Standard query (0)	whatismyipaddress.com	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:49.683657885 CEST	192.168.2.3	8.8.8.8	0x1315	Standard query (0)	mail.inbox.lv	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 28, 2021 14:43:10.990313053 CEST	8.8.8.8	192.168.2.3	0x9e68	No error (0)	whatismyipaddress.com		104.16.155.36	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:10.990313053 CEST	8.8.8.8	192.168.2.3	0x9e68	No error (0)	whatismyipaddress.com		104.16.154.36	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:12.853415966 CEST	8.8.8.8	192.168.2.3	0xc9ce	No error (0)	mail.inbox.lv		194.152.32.10	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:34.242847919 CEST	8.8.8.8	192.168.2.3	0x54e8	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Oct 28, 2021 14:43:46.989118099 CEST	8.8.8.8	192.168.2.3	0xae52	No error (0)	whatismyipaddress.com		104.16.155.36	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:46.989118099 CEST	8.8.8.8	192.168.2.3	0xae52	No error (0)	whatismyipaddress.com		104.16.154.36	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:49.702991962 CEST	8.8.8.8	192.168.2.3	0x1315	No error (0)	mail.inbox.lv		194.152.32.10	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

whatismyipaddress.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49748	104.16.155.36	80	C:\Users\user\Desktop\NEW PO.exe

Timestamp	kBytes transferred	Direction	Data
Oct 28, 2021 14:43:11.043543100 CEST	1091	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Connection: Keep-Alive
Oct 28, 2021 14:43:11.069910049 CEST	1092	IN	HTTP/1.1 403 Forbidden Date: Thu, 28 Oct 2021 12:43:11 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: keep-alive X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 6a543f9218035b86-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49757	104.16.155.36	80	C:\Users\user\Desktop\NEW PO.exe

Timestamp	kBytes transferred	Direction	Data
Oct 28, 2021 14:43:47.042749882 CEST	1169	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Connection: Keep-Alive
Oct 28, 2021 14:43:47.071824074 CEST	1169	IN	HTTP/1.1 403 Forbidden Date: Thu, 28 Oct 2021 12:43:47 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: keep-alive X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 6a5440731a042c52-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 28, 2021 14:43:15.111594915 CEST	587	49749	194.152.32.10	192.168.2.3	220 mail.inbox.lv relay for customers ESMTP ready
Oct 28, 2021 14:43:15.118011951 CEST	49749	587	192.168.2.3	194.152.32.10	EHLO 051829
Oct 28, 2021 14:43:15.160445929 CEST	587	49749	194.152.32.10	192.168.2.3	250-mail.inbox.lv relay for customers 250-SIZE 59900000 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Oct 28, 2021 14:43:15.162899017 CEST	49749	587	192.168.2.3	194.152.32.10	STARTTLS
Oct 28, 2021 14:43:15.209489107 CEST	587	49749	194.152.32.10	192.168.2.3	220 2.0.0 Start TLS
Oct 28, 2021 14:43:51.831136942 CEST	587	49760	194.152.32.10	192.168.2.3	220 mail.inbox.lv relay for customers ESMTP ready
Oct 28, 2021 14:43:51.837745905 CEST	49760	587	192.168.2.3	194.152.32.10	EHLO 051829
Oct 28, 2021 14:43:51.880465031 CEST	587	49760	194.152.32.10	192.168.2.3	250-mail.inbox.lv relay for customers 250-SIZE 59900000 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Oct 28, 2021 14:43:51.880744934 CEST	49760	587	192.168.2.3	194.152.32.10	STARTTLS
Oct 28, 2021 14:43:51.923423052 CEST	587	49760	194.152.32.10	192.168.2.3	220 2.0.0 Start TLS

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: NEW PO.exe PID: 7156 Parent PID: 4972

General

Start time:	14:42:57
Start date:	28/10/2021
Path:	C:\Users\user\Desktop\NEW PO.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\NEW PO.exe'
Imagebase:	0xeb0000
File size:	774144 bytes
MD5 hash:	770F6E88B7BF3FE3AAE144A5AA41DC96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.296608068.0000000003321000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: NEW PO.exe PID: 6044 Parent PID: 7156

General

Start time:	14:43:05
Start date:	28/10/2021
Path:	C:\Users\user\Desktop\NEW PO.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\NEW PO.exe
Imagebase:	0x600000
File size:	774144 bytes
MD5 hash:	770F6E88B7BF3FE3AAE144A5AA41DC96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.318319979.0000000002DF6000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.313426139.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.313426139.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000007.00000002.366905535.0000000007C60000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.317941479.0000000002D6A000.00000004.00000001.sdmp, Author: Joe Security Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000007.00000000.315132026.0000000007C60000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000007.00000000.315200782.0000000007EE0000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.313223758.0000000002D6A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.313404967.0000000002DFA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.318371710.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.318371710.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000007.00000002.367050092.0000000007EE0000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.364013571.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.364013571.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000007.00000000.320411963.0000000007C60000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.362383688.0000000002B10000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: vbc.exe PID: 6692 Parent PID: 6044

General

Start time:	14:43:15
Start date:	28/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.317013131.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.316648058.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: vbc.exe PID: 6728 Parent PID: 6044

General

Start time:	14:43:15
Start date:	28/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000000.319742971.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000000.320558066.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000000.320160730.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: WerFault.exe PID: 6724 Parent PID: 6044

General

Start time:	14:43:20
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 2424
Imagebase:	0x20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: WindowsUpdate.exe PID: 6976 Parent PID: 3352

General

Start time:	14:43:25
Start date:	28/10/2021
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Imagebase:	0x780000
File size:	774144 bytes
MD5 hash:	770F6E88B7BF3FE3AAE144A5AA41DC96
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.356792870.0000000002C01000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: WindowsUpdate.exe PID: 7120 Parent PID: 6976

General

Start time:	14:43:28
Start date:	28/10/2021
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Imagebase:	0x710000
File size:	774144 bytes
MD5 hash:	770F6E88B7BF3FE3AAE144A5AA41DC96
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: WindowsUpdate.exe PID: 4816 Parent PID: 3352

General

Start time:	14:43:33
Start date:	28/10/2021
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Imagebase:	0xc00000
File size:	774144 bytes
MD5 hash:	770F6E88B7BF3FE3AAE144A5AA41DC96
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: WindowsUpdate.exe PID: 3996 Parent PID: 4816

General

Start time:	14:43:39
Start date:	28/10/2021
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Imagebase:	0xdd0000
File size:	774144 bytes
MD5 hash:	770F6E88B7BF3FE3AAE144A5AA41DC96
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000012.00000002.439571003.0000000008640000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000012.00000000.395440509.0000000008660000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000012.00000000.395401347.0000000008640000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.392059792.00000000035EA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000002.436080566.00000000042D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000002.436080566.00000000042D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000012.00000000.408411000.0000000008640000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000012.00000000.408464737.0000000008660000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.392382903.00000000042D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.392382903.00000000042D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.400644306.00000000035EA000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000012.00000002.439615340.0000000008660000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: vbc.exe PID: 6828 Parent PID: 3996

General

Start time:	14:43:53
Start date:	28/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000016.00000002.420264771.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000016.00000000.398239322.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000016.00000000.399210452.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: vbc.exe PID: 5076 Parent PID: 3996

General

Start time:	14:43:53
Start date:	28/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000017.00000002.404452957.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000017.00000000.402038118.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000017.00000000.401599576.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: WerFault.exe PID: 6008 Parent PID: 3996

General

Start time:	14:43:59
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412
Imagebase:	0x20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: WerFault.exe PID: 5028 Parent PID: 3996

General

Start time:	14:44:01
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412
Imagebase:	0x20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report NEW PO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre