Windows Analysis Report Hpdyv8oO3j.exe

Overview

General Information

Sample Name: Hpdyv8oO3j.exe
Analysis ID: 524274
MD5: dffaf08a25150b38c19210c180862aeb
SHA1: a28b135b64a08d5ed30621aac5c3e955d4d090fb
SHA256: 8fdbfbf55033187c6a4d3cd7d42394cd56cbd3b5a9dc905e72aef2886172be36
Tags: exenjratRAT
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView Njrat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Creates multiple autostart registry keys
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Uses cmd line tools excessively to alter registry or file data
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Creates files with lurking names (e.g. Crack.exe)
Injects a PE file into a foreign processes
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Installs a global keyboard hook
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
.NET source code contains very large strings
Machine Learning detection for dropped file
Modifies the windows firewall
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
Sigma detected: Netsh Port or Application Allowed
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Creates files inside the system directory
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Social media urls found in memory data
Uses taskkill to terminate processes
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to query network adapater information
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Avira: detection malicious, Label: TR/Agent.32768.2190
Source: C:\Windows\SysWOW64\user32dll.exe Avira: detection malicious, Label: TR/Agent.32768.2190
Source: C:\Users\user\AppData\Roaming\RedLine.exe Avira: detection malicious, Label: BDS/Bladabindi.ajooc
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\61bc7bd88d10e97264127fe545415b17.exe Avira: detection malicious, Label: BDS/Bladabindi.ajooc
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Avira: detection malicious, Label: HEUR/AGEN.1134703
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Avira: detection malicious, Label: BDS/Bladabindi.ajooc
Multi AV Scanner detection for submitted file
Source: Hpdyv8oO3j.exe Metadefender: Detection: 74% Perma Link
Source: Hpdyv8oO3j.exe ReversingLabs: Detection: 100%
Yara detected Njrat
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2886bc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ae6bc0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2a99190.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2a99190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2aa6b58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2886cd8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ae6cd8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2aa6a40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002A.00000002.490818765.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.460848822.0000000002831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.569953826.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.344202284.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.490487625.0000000002AD0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.460388443.00000000008F0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.339955429.0000000002861000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.339619983.00000000024B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.421069475.0000000002C51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.420830260.0000000002620000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.569803952.0000000002700000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RedLine.MainPanel-cracked.exe PID: 4140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RedLine.MainPanel-cracked.exe PID: 7032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RedLine.exe PID: 4236, type: MEMORYSTR
Antivirus / Scanner detection for submitted sample
Source: Hpdyv8oO3j.exe Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Metadefender: Detection: 82% Perma Link
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\61bc7bd88d10e97264127fe545415b17.exe ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Roaming\RedLine.exe ReversingLabs: Detection: 89%
Source: C:\Windows\SysWOW64\user32dll.exe Metadefender: Detection: 82% Perma Link
Source: C:\Windows\SysWOW64\user32dll.exe ReversingLabs: Detection: 92%
Machine Learning detection for sample
Source: Hpdyv8oO3j.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\user32dll.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\RedLine.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\61bc7bd88d10e97264127fe545415b17.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.0.Keylogger.exe.760000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.0.Keylogger.exe.760000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 19.0.user32dll.exe.400000.0.unpack Avira: Label: TR/Agent.32768.2190
Source: 17.0.Windows Update.exe.d40000.8.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 17.0.Windows Update.exe.d40000.8.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 19.2.user32dll.exe.400000.0.unpack Avira: Label: TR/Agent.32768.2190
Source: 17.2.Windows Update.exe.d40000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 17.2.Windows Update.exe.d40000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.RedLine.exe.580000.0.unpack Avira: Label: BDS/Bladabindi.ajooc
Source: 17.0.Windows Update.exe.d40000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 17.0.Windows Update.exe.d40000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 5.0.RedLine.MainPanel-cracked.exe.340000.0.unpack Avira: Label: BDS/Bladabindi.ajooc
Source: 0.3.Hpdyv8oO3j.exe.708218.1.unpack Avira: Label: TR/Agent.32768.2190
Source: 4.0.RedLine.MainPanel-cracked.exe.550000.0.unpack Avira: Label: BDS/Bladabindi.ajooc
Source: 17.0.Windows Update.exe.d40000.12.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 17.0.Windows Update.exe.d40000.12.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 4.2.RedLine.MainPanel-cracked.exe.550000.0.unpack Avira: Label: BDS/Bladabindi.ajooc
Source: 2.2.Keylogger.exe.760000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.2.Keylogger.exe.760000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 5.2.RedLine.MainPanel-cracked.exe.340000.0.unpack Avira: Label: BDS/Bladabindi.ajooc
Source: 17.0.Windows Update.exe.d40000.4.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 17.0.Windows Update.exe.d40000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.0.RedLine.exe.580000.0.unpack Avira: Label: BDS/Bladabindi.ajooc
Source: 8.2.ViRuS.exe.400000.0.unpack Avira: Label: TR/Agent.32768.2190
Source: 8.0.ViRuS.exe.400000.0.unpack Avira: Label: TR/Agent.32768.2190

Compliance:

barindex
Uses 32bit PE files
Source: Hpdyv8oO3j.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.405064148.000000000838A000.00000004.00000010.sdmp
Source: Binary string: .pdb8 source: Windows Update.exe, 00000011.00000002.405064148.000000000838A000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdbH4s source: Windows Update.exe, 00000011.00000002.405064148.000000000838A000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp
Source: Binary string: symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.405064148.000000000838A000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Roaming\Windows Update.PDBE source: Windows Update.exe, 00000011.00000002.404185049.0000000006DF4000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.404011011.0000000006D70000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Keylogger.exe, Windows Update.exe
Source: Binary string: C:\Windows\mscorlib.pdbn source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.404185049.0000000006DF4000.00000004.00000001.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Keylogger.exe, Windows Update.exe, vbc.exe, 00000019.00000002.567099655.0000000000400000.00000040.00000001.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.405064148.000000000838A000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbC source: Windows Update.exe, 00000011.00000002.404126730.0000000006DD4000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Keylogger.exe, Windows Update.exe, vbc.exe
Source: Binary string: mscorlib.pdbndows Update.exe source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb86 source: Windows Update.exe, 00000011.00000002.405064148.000000000838A000.00000004.00000010.sdmp
Source: Binary string: oC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.405064148.000000000838A000.00000004.00000010.sdmp
Source: Binary string: rlib.pdb source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp

Spreading:

barindex
May infect USB drives
Source: Keylogger.exe Binary or memory string: [autorun]
Source: Keylogger.exe Binary or memory string: autorun.inf
Source: RedLine.MainPanel-cracked.exe, 00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp Binary or memory string: autorun.inf![autorun]
Source: RedLine.MainPanel-cracked.exe, 00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp Binary or memory string: autorun.inf![autorun]
Source: RedLine.MainPanel-cracked.exe, 00000005.00000002.339955429.0000000002861000.00000004.00000001.sdmp Binary or memory string: autorun.inf![autorun]
Source: RedLine.MainPanel-cracked.exe, 00000005.00000002.339955429.0000000002861000.00000004.00000001.sdmp Binary or memory string: autorun.inf![autorun]
Source: RedLine.exe, 00000010.00000002.570406850.0000000002AD6000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: RedLine.exe, 00000010.00000002.570406850.0000000002AD6000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: RedLine.exe, 00000010.00000002.569953826.0000000002A81000.00000004.00000001.sdmp Binary or memory string: autorun.inf![autorun]
Source: RedLine.exe, 00000010.00000002.569953826.0000000002A81000.00000004.00000001.sdmp Binary or memory string: autorun.inf![autorun]
Source: Windows Update.exe Binary or memory string: [autorun]
Source: Windows Update.exe Binary or memory string: autorun.inf
Source: Windows Update.exe, 00000011.00000002.399929193.00000000035FD000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 28_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 28_2_00407E0E

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 4x nop then jmp 02A71A73h 2_2_02A719A0
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_02A70728
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 4x nop then jmp 02A71A73h 2_2_02A719B0
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 4x nop then jmp 02A71A73h 2_2_02A71A80
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_02A717F8
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_02A714C0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 17_2_02F779C0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 17_2_02F717F8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 17_2_02F7ADDF
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 17_2_02F714C0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 17_2_02F779B2
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then jmp 02F71A73h 17_2_02F719B0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then mov esp, ebp 17_2_02F748B9
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then jmp 02F71A73h 17_2_02F719A0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 17_2_02F75B70
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 17_2_02F7603A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 17_2_02F70728

Networking:

barindex
May check the online IP address of the machine
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49753 -> 173.194.79.109:587
Source: global traffic TCP traffic: 192.168.2.3:49754 -> 82.202.167.226:6542
Source: global traffic TCP traffic: 192.168.2.3:49805 -> 173.194.79.108:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49753 -> 173.194.79.109:587
Source: global traffic TCP traffic: 192.168.2.3:49805 -> 173.194.79.108:587
Social media urls found in memory data
Source: vbc.exe String found in binary or memory: http://www.facebook.com/
Source: vbc.exe, 0000001C.00000000.394707935.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.facebook.com/https://login.yahoo.com/config/login
Source: vbc.exe, 0000001C.00000003.411487193.0000000002264000.00000004.00000001.sdmp String found in binary or memory: http://www.facebook.com/https://login.yahoo.com/config/login:
Source: vbc.exe, 0000001C.00000003.409624926.0000000002264000.00000004.00000001.sdmp String found in binary or memory: http://www.facebook.com/https://login.yahoo.com/config/loginV
Source: Keylogger.exe, 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp, Windows Update.exe, 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: Windows Update.exe, 00000011.00000002.404185049.0000000006DF4000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: Windows Update.exe, 00000011.00000002.404185049.0000000006DF4000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: Windows Update.exe, 00000011.00000002.404185049.0000000006DF4000.00000004.00000001.sdmp String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl0
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Keylogger.exe, 00000002.00000002.346733504.0000000000E49000.00000004.00000020.sdmp String found in binary or memory: http://go.microsoft.
Source: Keylogger.exe, 00000002.00000002.346733504.0000000000E49000.00000004.00000020.sdmp String found in binary or memory: http://go.microsoft.LinkId=42127
Source: user32dll.exe, 00000013.00000003.356248617.00000000006CA000.00000004.00000001.sdmp String found in binary or memory: http://menejelv.beget.tech/
Source: Keylogger.exe, 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp, Windows Update.exe, 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: Windows Update.exe, 00000011.00000002.404185049.0000000006DF4000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: Windows Update.exe, 00000011.00000002.404185049.0000000006DF4000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: Windows Update.exe, 00000011.00000002.404185049.0000000006DF4000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: Windows Update.exe, 00000011.00000002.404185049.0000000006DF4000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: Windows Update.exe, 00000011.00000002.404185049.0000000006DF4000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: Windows Update.exe, 00000011.00000002.404185049.0000000006DF4000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: vbc.exe, 0000001C.00000003.408089051.0000000002253000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: Windows Update.exe, 00000011.00000002.400895126.000000000381D000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: Keylogger.exe, Windows Update.exe String found in binary or memory: http://whatismyipaddress.com/
Source: Keylogger.exe, 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp, Windows Update.exe, 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp, Keylogger.exe, 00000002.00000003.318472330.00000000054B0000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Keylogger.exe, 00000002.00000003.326372691.00000000054AE000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersno
Source: Keylogger.exe, 00000002.00000003.345653581.00000000054A0000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comasuq/w
Source: Keylogger.exe, 00000002.00000003.345653581.00000000054A0000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comceu
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Keylogger.exe, 00000002.00000003.317599242.00000000054B4000.00000004.00000001.sdmp, Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, 0000001C.00000003.408089051.0000000002253000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: vbc.exe, 0000001C.00000003.408089051.0000000002253000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: vbc.exe, vbc.exe, 0000001C.00000000.394707935.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Keylogger.exe, 00000002.00000003.319800118.00000000054D6000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Windows Update.exe, 00000011.00000002.398362779.00000000033D1000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Keylogger.exe, 00000002.00000003.322374520.00000000054B1000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Keylogger.exe, 00000002.00000002.348451962.00000000067B2000.00000004.00000001.sdmp, Keylogger.exe, 00000002.00000003.318514651.00000000054B2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Keylogger.exe, 00000002.00000003.318514651.00000000054B2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnT
Source: Keylogger.exe, 00000002.00000003.318514651.00000000054B2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cna
Source: Keylogger.exe, 00000002.00000003.318514651.00000000054B2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: Keylogger.exe, 00000002.00000003.318514651.00000000054B2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnz
Source: vbc.exe, 0000001C.00000003.409116998.0000000002253000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: vbc.exe, 0000001C.00000003.409116998.0000000002253000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: vbc.exe, 0000001C.00000003.409116998.0000000002253000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: hhzclipper.exe, 00000003.00000000.315938270.00000000001E2000.00000002.00020000.sdmp String found in binary or memory: https://Esteamcommunity.com/tradeoffer/new/
Source: vbc.exe, 0000001C.00000003.409677270.000000000081D000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856
Source: vbc.exe, 0000001C.00000003.409116998.0000000002253000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: vbc.exe, 0000001C.00000003.409116998.0000000002253000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: vbc.exe, 0000001C.00000003.409116998.0000000002253000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 0000001C.00000003.409116998.0000000002253000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: vbc.exe, 0000001C.00000003.409116998.0000000002253000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: vbc.exe, 0000001C.00000003.409116998.0000000002253000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: vbc.exe, 0000001C.00000003.409116998.0000000002253000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: Keylogger.exe, Windows Update.exe, vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: Windows Update.exe, 00000011.00000002.404185049.0000000006DF4000.00000004.00000001.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: Keylogger.exe, Windows Update.exe, vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 0000001C.00000003.408089051.0000000002253000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/
Source: vbc.exe, 0000001C.00000003.408089051.0000000002253000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: vbc.exe, 0000001C.00000003.408089051.0000000002253000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: unknown DNS traffic detected: queries for: 231.58.0.0.in-addr.arpa
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_014AA09A recv, 17_2_014AA09A
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 18 Nov 2021 09:14:13 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTSet-Cookie: __cf_bm=sGeod6pqVWjcwREELm2hUH2GgAdW_2GQyVQFKmuAcw0-1637226853-0-ARb8/mXyrtsjliF6MoAc1RTKm13uI/eP7YlvFz7ZWBMjq2DYNWHf6wU8P4W3in6z8BV4TXLAYgb9S5ghyt8nUT4=; path=/; expires=Thu, 18-Nov-21 09:44:13 GMT; domain=.whatismyipaddress.com; HttpOnlyServer: cloudflareCF-RAY: 6b00165a9d85690a-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 18 Nov 2021 09:15:00 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTSet-Cookie: __cf_bm=_VxCpL1SUogQPkmhm6XJQzy_263PsYORKxhnP5Lzpu8-1637226900-0-AakJJ2rong7agBiGXb/Yc2BMeTYb8+YfO1kR1pbeDWQZeZMuafai1azbDQQgGLp6uCRe9S4dAlA9ilezE9rCYhI=; path=/; expires=Thu, 18-Nov-21 09:45:00 GMT; domain=.whatismyipaddress.com; HttpOnlyServer: cloudflareCF-RAY: 6b00177fbd724e44-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020
Source: unknown TCP traffic detected without corresponding DNS query: 82.202.167.226
Source: unknown TCP traffic detected without corresponding DNS query: 82.202.167.226
Source: unknown TCP traffic detected without corresponding DNS query: 82.202.167.226
Source: unknown TCP traffic detected without corresponding DNS query: 82.202.167.226
Source: unknown TCP traffic detected without corresponding DNS query: 82.202.167.226
Source: unknown TCP traffic detected without corresponding DNS query: 82.202.167.226
Source: unknown TCP traffic detected without corresponding DNS query: 82.202.167.226
Source: unknown TCP traffic detected without corresponding DNS query: 82.202.167.226
Source: unknown TCP traffic detected without corresponding DNS query: 82.202.167.226
Source: unknown TCP traffic detected without corresponding DNS query: 82.202.167.226
Source: unknown TCP traffic detected without corresponding DNS query: 82.202.167.226
Source: unknown TCP traffic detected without corresponding DNS query: 82.202.167.226
Source: unknown TCP traffic detected without corresponding DNS query: 82.202.167.226
Source: unknown TCP traffic detected without corresponding DNS query: 82.202.167.226
Source: unknown TCP traffic detected without corresponding DNS query: 82.202.167.226
Source: Keylogger.exe, 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp, Windows Update.exe, 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp, vbc.exe, 0000001C.00000000.394707935.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Keylogger.exe, 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp, Windows Update.exe, 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp, vbc.exe, 0000001C.00000000.394707935.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Keylogger.exe, Windows Update.exe, vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 0000001C.00000003.411487193.0000000002264000.00000004.00000001.sdmp String found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_co
Source: vbc.exe, 0000001C.00000003.411487193.0000000002264000.00000004.00000001.sdmp String found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_co
Source: vbc.exe, 0000001C.00000003.409624926.0000000002264000.00000004.00000001.sdmp String found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_co
Source: vbc.exe, 0000001C.00000003.409624926.0000000002264000.00000004.00000001.sdmp String found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_co

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 2.2.Keylogger.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.768208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.768208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.Windows Update.exe.6e1b39a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.Keylogger.exe.eb4e92.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.7bfa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d49c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d9fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.33faa98.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.401046205.000000000384C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.461183087.0000000000B02000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.442088450.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.452870911.0000000000B02000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.401022146.0000000003844000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.517639660.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.398362779.00000000033D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.438271647.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.345013885.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.439141750.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.395985311.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.344577031.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.418565410.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.370310625.0000000006DFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.439708948.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.437787976.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.445241123.00000000013F3000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.314643771.0000000000762000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.339296284.0000000000E97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.521512355.00000000036C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.343560898.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Keylogger.exe PID: 4492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5624, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Keylogger.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Installs a global keyboard hook
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe
Contains functionality to log keystrokes (.Net Source)
Source: Keylogger.exe.0.dr, Form1.cs .Net Code: HookKeyboard
Source: Windows Update.exe.2.dr, Form1.cs .Net Code: HookKeyboard
Source: 2.0.Keylogger.exe.760000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 2.2.Keylogger.exe.760000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: WindowsUpdate.exe.17.dr, Form1.cs .Net Code: HookKeyboard
Source: 17.0.Windows Update.exe.d40000.8.unpack, Form1.cs .Net Code: HookKeyboard
Source: 17.2.Windows Update.exe.d40000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 17.0.Windows Update.exe.d40000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 17.0.Windows Update.exe.d40000.12.unpack, Form1.cs .Net Code: HookKeyboard
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_0040D674 OpenClipboard,GetLastError,DeleteFileW, 28_2_0040D674
Creates a DirectInput object (often for capturing keystrokes)
Source: ViRuS.exe, 00000008.00000002.329640367.000000000074A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

barindex
Yara detected Njrat
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2886bc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ae6bc0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2a99190.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2a99190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2aa6b58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2886cd8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ae6cd8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2aa6a40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002A.00000002.490818765.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.460848822.0000000002831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.569953826.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.344202284.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.490487625.0000000002AD0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.460388443.00000000008F0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.339955429.0000000002861000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.339619983.00000000024B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.421069475.0000000002C51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.420830260.0000000002620000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.569803952.0000000002700000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RedLine.MainPanel-cracked.exe PID: 4140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RedLine.MainPanel-cracked.exe PID: 7032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RedLine.exe PID: 4236, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RedLine.MainPanel-cracked.exe.2886bc0.3.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.RedLine.MainPanel-cracked.exe.2886bc0.3.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.RedLine.MainPanel-cracked.exe.2ae6bc0.2.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.RedLine.MainPanel-cracked.exe.2ae6bc0.2.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Keylogger.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Keylogger.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Keylogger.exe.768208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Keylogger.exe.768208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d48208.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d48208.6.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d9fa72.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d9fa72.13.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Keylogger.exe.768208.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.Keylogger.exe.768208.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.3.Windows Update.exe.6e1b39a.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.3.Windows Update.exe.6e1b39a.0.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.RedLine.exe.2a99190.3.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 16.2.RedLine.exe.2a99190.3.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.2.RedLine.exe.2a99190.3.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.Keylogger.exe.eb4e92.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.Keylogger.exe.eb4e92.0.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.RedLine.exe.2a99190.3.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.2.RedLine.exe.2a99190.3.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d9fa72.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d9fa72.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d48208.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d48208.14.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.RedLine.exe.2aa6b58.2.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.2.RedLine.exe.2aa6b58.2.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d48208.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d48208.10.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d49c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d49c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Keylogger.exe.7bfa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.Keylogger.exe.7bfa72.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Windows Update.exe.d49c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.Windows Update.exe.d49c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d40000.8.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d40000.8.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RedLine.MainPanel-cracked.exe.2886cd8.4.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.RedLine.MainPanel-cracked.exe.2886cd8.4.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Windows Update.exe.d9fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.Windows Update.exe.d9fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.RedLine.exe.2700000.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 16.2.RedLine.exe.2700000.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.2.RedLine.exe.2700000.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.RedLine.MainPanel-cracked.exe.2ae6cd8.3.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.RedLine.MainPanel-cracked.exe.2ae6cd8.3.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.RedLine.exe.2aa6a40.4.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.2.RedLine.exe.2aa6a40.4.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d49c0d.15.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d49c0d.15.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d9fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d9fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.RedLine.exe.2700000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 16.2.RedLine.exe.2700000.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.2.RedLine.exe.2700000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d9fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d9fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d49c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d49c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d49c0d.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d49c0d.11.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d40000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d40000.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Windows Update.exe.d40000.12.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.0.Windows Update.exe.d40000.12.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Windows Update.exe.33faa98.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.Windows Update.exe.33faa98.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000002A.00000002.490818765.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000002A.00000002.490818765.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000028.00000002.461183087.0000000000B02000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.461183087.0000000000B02000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.460848822.0000000002831000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000022.00000002.460848822.0000000002831000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.442088450.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.442088450.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.569953826.0000000002A81000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000002.569953826.0000000002A81000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000028.00000000.452870911.0000000000B02000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000000.452870911.0000000000B02000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.344202284.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000002.344202284.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.401022146.0000000003844000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000002A.00000002.490487625.0000000002AD0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0000002A.00000002.490487625.0000000002AD0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000002A.00000002.490487625.0000000002AD0000.00000004.00020000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.460388443.00000000008F0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000022.00000002.460388443.00000000008F0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000022.00000002.460388443.00000000008F0000.00000004.00020000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000023.00000002.517639660.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000002.517639660.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.398362779.00000000033D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.398362779.00000000033D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000023.00000000.438271647.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000000.438271647.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.345013885.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000000.345013885.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000023.00000000.439141750.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000000.439141750.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.395985311.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.395985311.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.339955429.0000000002861000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000005.00000002.339955429.0000000002861000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.344577031.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000000.344577031.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000000.418565410.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000000.418565410.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000003.370310625.0000000006DFE000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000003.370310625.0000000006DFE000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000023.00000000.439708948.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000000.439708948.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000023.00000000.437787976.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000000.437787976.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.445241123.00000000013F3000.00000004.00000020.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.445241123.00000000013F3000.00000004.00000020.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.339619983.00000000024B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000005.00000002.339619983.00000000024B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000005.00000002.339619983.00000000024B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.314643771.0000000000762000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000000.314643771.0000000000762000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.339296284.0000000000E97000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.339296284.0000000000E97000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.421069475.0000000002C51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001E.00000002.421069475.0000000002C51000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.420830260.0000000002620000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0000001E.00000002.420830260.0000000002620000.00000004.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000001E.00000002.420830260.0000000002620000.00000004.00020000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000023.00000002.521512355.00000000036C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000002.521512355.00000000036C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.569803952.0000000002700000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000010.00000002.569803952.0000000002700000.00000004.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000002.569803952.0000000002700000.00000004.00020000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.343560898.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000000.343560898.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Creates files with lurking names (e.g. Crack.exe)
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe File created: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\RedLine.MainPanel-cracked.exe.log Jump to behavior
.NET source code contains very large strings
Source: RedLine.MainPanel-cracked.exe.0.dr, Class1.cs Long String: Length: 25236
Source: RedLine.exe.4.dr, Class1.cs Long String: Length: 25236
Source: 4.0.RedLine.MainPanel-cracked.exe.550000.0.unpack, Class1.cs Long String: Length: 25236
Source: 4.2.RedLine.MainPanel-cracked.exe.550000.0.unpack, Class1.cs Long String: Length: 25236
Source: 5.0.RedLine.MainPanel-cracked.exe.340000.0.unpack, Class1.cs Long String: Length: 25236
Source: 5.2.RedLine.MainPanel-cracked.exe.340000.0.unpack, Class1.cs Long String: Length: 25236
Source: 61bc7bd88d10e97264127fe545415b17.exe.16.dr, Class1.cs Long String: Length: 25236
Source: 16.2.RedLine.exe.580000.0.unpack, Class1.cs Long String: Length: 25236
Source: 16.0.RedLine.exe.580000.0.unpack, Class1.cs Long String: Length: 25236
One or more processes crash
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2528
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_0076D426 2_2_0076D426
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_0076D523 2_2_0076D523
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_0077D5AE 2_2_0077D5AE
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_00777646 2_2_00777646
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_007A29BE 2_2_007A29BE
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_007A6AF4 2_2_007A6AF4
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_007CABFC 2_2_007CABFC
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_007C3C4D 2_2_007C3C4D
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_007C3CBE 2_2_007C3CBE
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_007C3D2F 2_2_007C3D2F
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_0076ED03 2_2_0076ED03
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_007C3DC0 2_2_007C3DC0
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_0077AFA6 2_2_0077AFA6
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_0076CF92 2_2_0076CF92
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_02A71D98 2_2_02A71D98
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_0079C7BC 2_2_0079C7BC
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_02A71DA8 2_2_02A71DA8
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Code function: 4_2_00007FFC08AB1AF5 4_2_00007FFC08AB1AF5
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Code function: 4_2_00007FFC08AB2363 4_2_00007FFC08AB2363
Source: C:\Users\user\AppData\Roaming\RedLine.exe Code function: 16_2_00007FFC08AE2403 16_2_00007FFC08AE2403
Source: C:\Users\user\AppData\Roaming\RedLine.exe Code function: 16_2_00007FFC08AE1B95 16_2_00007FFC08AE1B95
Source: C:\Users\user\AppData\Roaming\RedLine.exe Code function: 16_2_00007FFC08AE5196 16_2_00007FFC08AE5196
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00D4D426 17_2_00D4D426
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00D5D5AE 17_2_00D5D5AE
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00D4D523 17_2_00D4D523
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00D57646 17_2_00D57646
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00D829BE 17_2_00D829BE
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00D86AF4 17_2_00D86AF4
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00DAABFC 17_2_00DAABFC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00DA3CBE 17_2_00DA3CBE
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00DA3C4D 17_2_00DA3C4D
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00DA3DC0 17_2_00DA3DC0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00D4ED03 17_2_00D4ED03
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00DA3D2F 17_2_00DA3D2F
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00D4CF92 17_2_00D4CF92
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00D5AFA6 17_2_00D5AFA6
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_02F77098 17_2_02F77098
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_02F7A670 17_2_02F7A670
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_02F75758 17_2_02F75758
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_02F76048 17_2_02F76048
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_02F78A10 17_2_02F78A10
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_02F71D98 17_2_02F71D98
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_02F77088 17_2_02F77088
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00D7C7BC 17_2_00D7C7BC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00404419 28_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00404516 28_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00413538 28_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_004145A1 28_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_0040E639 28_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_004337AF 28_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_004399B1 28_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_0043DAE7 28_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00405CF6 28_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00403F85 28_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00411F99 28_2_00411F99
PE file contains strange resources
Source: Keylogger.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Keylogger.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Keylogger.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RedLine.MainPanel-cracked.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ViRuS.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RedLine.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: user32dll.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 61bc7bd88d10e97264127fe545415b17.exe.16.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: security.dll
Uses 32bit PE files
Source: Hpdyv8oO3j.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 17.2.Windows Update.exe.350b42c.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.Windows Update.exe.7f20000.9.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.2.RedLine.MainPanel-cracked.exe.2886bc0.3.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.RedLine.MainPanel-cracked.exe.2886bc0.3.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.RedLine.MainPanel-cracked.exe.2ae6bc0.2.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.RedLine.MainPanel-cracked.exe.2ae6bc0.2.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.Keylogger.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Keylogger.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Keylogger.exe.768208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Keylogger.exe.768208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.Keylogger.exe.768208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Windows Update.exe.d48208.6.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d48208.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.0.Windows Update.exe.d48208.6.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Windows Update.exe.d9fa72.13.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d9fa72.13.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.Keylogger.exe.768208.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.0.Keylogger.exe.768208.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.Keylogger.exe.768208.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.3.Windows Update.exe.6e1b39a.0.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.3.Windows Update.exe.6e1b39a.0.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.RedLine.exe.2a99190.3.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.RedLine.exe.2a99190.3.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.2.RedLine.exe.2a99190.3.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.3.Keylogger.exe.eb4e92.0.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.3.Keylogger.exe.eb4e92.0.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.RedLine.exe.2a99190.3.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.2.RedLine.exe.2a99190.3.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.0.Windows Update.exe.d9fa72.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d9fa72.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Windows Update.exe.d48208.14.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d48208.14.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.0.Windows Update.exe.d48208.14.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.RedLine.exe.2aa6b58.2.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.2.RedLine.exe.2aa6b58.2.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.0.Windows Update.exe.d48208.10.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d48208.10.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.0.Windows Update.exe.d48208.10.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Windows Update.exe.d49c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d49c0d.7.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.0.Keylogger.exe.7bfa72.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.0.Keylogger.exe.7bfa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.0.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.2.Windows Update.exe.d49c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.Windows Update.exe.d49c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Windows Update.exe.d40000.8.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d40000.8.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.0.Windows Update.exe.d40000.8.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.Windows Update.exe.7d50000.8.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.2.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RedLine.MainPanel-cracked.exe.2886cd8.4.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.RedLine.MainPanel-cracked.exe.2886cd8.4.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.2.Windows Update.exe.d9fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.Windows Update.exe.d9fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.2.RedLine.exe.2700000.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.RedLine.exe.2700000.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.2.RedLine.exe.2700000.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.raw.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.0.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.0.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.RedLine.MainPanel-cracked.exe.2ae6cd8.3.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.RedLine.MainPanel-cracked.exe.2ae6cd8.3.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.0.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.0.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Keylogger.exe.2f3be9c.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.RedLine.exe.2aa6a40.4.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.2.RedLine.exe.2aa6a40.4.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.0.Windows Update.exe.d49c0d.15.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d49c0d.15.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Windows Update.exe.d9fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d9fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.RedLine.exe.2700000.1.raw.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.RedLine.exe.2700000.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.2.RedLine.exe.2700000.1.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.0.Windows Update.exe.d9fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d9fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Windows Update.exe.d49c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d49c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Windows Update.exe.d49c0d.11.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d49c0d.11.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Windows Update.exe.d40000.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d40000.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.0.Windows Update.exe.d40000.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.0.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Windows Update.exe.d40000.12.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.0.Windows Update.exe.d40000.12.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.0.Windows Update.exe.d40000.12.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.Windows Update.exe.33faa98.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.Windows Update.exe.33faa98.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.Windows Update.exe.33faa98.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000002A.00000002.490818765.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000002A.00000002.490818765.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000028.00000002.461183087.0000000000B02000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000028.00000002.461183087.0000000000B02000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.460848822.0000000002831000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000022.00000002.460848822.0000000002831000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000021.00000002.442088450.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.442088450.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000002.569953826.0000000002A81000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000002.569953826.0000000002A81000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000028.00000000.452870911.0000000000B02000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000028.00000000.452870911.0000000000B02000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.344202284.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000002.344202284.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000011.00000002.401022146.0000000003844000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000002A.00000002.490487625.0000000002AD0000.00000004.00020000.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000002A.00000002.490487625.0000000002AD0000.00000004.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000002A.00000002.490487625.0000000002AD0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000022.00000002.460388443.00000000008F0000.00000004.00020000.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000022.00000002.460388443.00000000008F0000.00000004.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000022.00000002.460388443.00000000008F0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000023.00000002.517639660.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000023.00000002.517639660.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.398362779.00000000033D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000011.00000002.398362779.00000000033D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000023.00000000.438271647.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000023.00000000.438271647.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.404757917.0000000007F20000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000000.345013885.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000011.00000000.345013885.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000023.00000000.439141750.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000023.00000000.439141750.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.395985311.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000011.00000002.395985311.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.339955429.0000000002861000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000005.00000002.339955429.0000000002861000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000011.00000002.404673570.0000000007D50000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000002.529100173.0000000008CA0000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000011.00000000.344577031.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000011.00000000.344577031.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000000.418565410.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000000.418565410.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000003.370310625.0000000006DFE000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000011.00000003.370310625.0000000006DFE000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000023.00000000.439708948.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000023.00000000.439708948.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000023.00000000.437787976.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000023.00000000.437787976.0000000000D72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.445241123.00000000013F3000.00000004.00000020.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.445241123.00000000013F3000.00000004.00000020.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.339619983.00000000024B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.339619983.00000000024B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000005.00000002.339619983.00000000024B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000000.314643771.0000000000762000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000000.314643771.0000000000762000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000003.339296284.0000000000E97000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000003.339296284.0000000000E97000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000002.421069475.0000000002C51000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001E.00000002.421069475.0000000002C51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000001E.00000002.420830260.0000000002620000.00000004.00020000.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001E.00000002.420830260.0000000002620000.00000004.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000001E.00000002.420830260.0000000002620000.00000004.00020000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000023.00000002.521512355.00000000036C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000023.00000002.521512355.00000000036C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.569803952.0000000002700000.00000004.00020000.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000002.569803952.0000000002700000.00000004.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000002.569803952.0000000002700000.00000004.00020000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000023.00000002.529114563.0000000008CB0000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000011.00000000.343560898.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000011.00000000.343560898.0000000000D42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe, type: DROPPED Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe File created: C:\Windows\SysWOW64\user32dll.exe Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413E2D appears 34 times
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: String function: 00D8BA9D appears 35 times
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: String function: 007ABA9D appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_0562691A NtUnmapViewOfSection, 17_2_0562691A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_056252BA NtQuerySystemInformation, 17_2_056252BA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_056268D6 NtUnmapViewOfSection, 17_2_056268D6
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_05625280 NtQuerySystemInformation, 17_2_05625280
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 28_2_00408836
Sample file is different than original file name gathered from version info
Source: Hpdyv8oO3j.exe, 00000000.00000002.322128416.0000000000585000.00000004.00020000.sdmp Binary or memory string: OriginalFilenamemicrostub.exe, vs Hpdyv8oO3j.exe
Source: Hpdyv8oO3j.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\user32dll.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe File created: C:\Users\user\AppData\Roaming\Windows Update.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.winEXE@53/24@7/7
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe File read: C:\Users\desktop.ini Jump to behavior
Source: Windows Update.exe.2.dr, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.Windows Update.exe.d40000.8.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.2.Windows Update.exe.d40000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.Windows Update.exe.d40000.12.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.Keylogger.exe.760000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Keylogger.exe.0.dr, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.Windows Update.exe.d40000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.Keylogger.exe.760000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: WindowsUpdate.exe.17.dr, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Code function: 0_2_0040135A GetSystemDirectoryA,PathAddBackslashA,GetWindowsDirectoryA,GetTempPathA,GetModuleFileNameA,GetEnvironmentVariableA,FindResourceA,SizeofResource,LoadResource,LockResource,GlobalAlloc,RtlMoveMemory,GlobalAlloc,RtlMoveMemory,GlobalFree,lstrcpynA,lstrcpyA,lstrlenA,lstrcpyA,lstrlenA,lstrcpyA,lstrcatA,lstrcpyA,CreateFileA,WriteFile,HeapAlloc,WriteFile,HeapFree,CreateFileA,GetFileSize,CloseHandle,HeapAlloc,WriteFile,HeapFree,CloseHandle,FindCloseChangeNotification,GlobalFree,SetFileAttributesA,lstrcpyA,PathFindFileNameA,ShellExecuteA,FreeResource,ExitProcess,ExitProcess, 0_2_0040135A
Source: ViRuS.exe, 00000008.00000002.329432377.0000000000401000.00000020.00020000.sdmp, user32dll.exe, 00000013.00000000.354827611.0000000000401000.00000020.00020000.sdmp Binary or memory string: @*\AC:\Kuzja 1.4\vir.vbpd
Source: ViRuS.exe Binary or memory string: *\AC:\Kuzja 1.4\vir.vbp
Source: ViRuS.exe, 00000008.00000002.329438732.0000000000407000.00000004.00020000.sdmp, user32dll.exe, 00000013.00000002.357757448.0000000000407000.00000004.00020000.sdmp Binary or memory string: $@*\AC:\Kuzja 1.4\vir.vbp
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HOST.bat" "
Source: Hpdyv8oO3j.exe Metadefender: Detection: 74%
Source: Hpdyv8oO3j.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Hpdyv8oO3j.exe "C:\Users\user\Desktop\Hpdyv8oO3j.exe"
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Users\user\AppData\Local\Temp\Keylogger.exe "C:\Users\user\AppData\Local\Temp\Keylogger.exe"
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Users\user\AppData\Local\Temp\hhzclipper.exe "C:\Users\user\AppData\Local\Temp\hhzclipper.exe"
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe "C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe"
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe "C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe"
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HOST.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Users\user\AppData\Local\Temp\ViRuS.exe "C:\Users\user\AppData\Local\Temp\ViRuS.exe"
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\system32\user32dll.exe
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im "ViRuS.exe"
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process created: C:\Users\user\AppData\Roaming\RedLine.exe "C:\Users\user\AppData\Roaming\RedLine.exe"
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
Source: unknown Process created: C:\Windows\SysWOW64\user32dll.exe "C:\Windows\SysWOW64\user32dll.exe"
Source: C:\Windows\SysWOW64\user32dll.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im "user32dll.exe"
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\RedLine.exe" "RedLine.exe" ENABLE
Source: C:\Windows\System32\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2528
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Source: unknown Process created: C:\Users\user\AppData\Roaming\RedLine.exe "C:\Users\user\AppData\Roaming\RedLine.exe" ..
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\RedLine.exe "C:\Users\user\AppData\Roaming\RedLine.exe" ..
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\RedLine.exe "C:\Users\user\AppData\Roaming\RedLine.exe" ..
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2472
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 176
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Users\user\AppData\Local\Temp\Keylogger.exe "C:\Users\user\AppData\Local\Temp\Keylogger.exe" Jump to behavior
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Users\user\AppData\Local\Temp\hhzclipper.exe "C:\Users\user\AppData\Local\Temp\hhzclipper.exe" Jump to behavior
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe "C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe" Jump to behavior
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe "C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe" Jump to behavior
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HOST.bat" " Jump to behavior
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Users\user\AppData\Local\Temp\ViRuS.exe "C:\Users\user\AppData\Local\Temp\ViRuS.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process created: C:\Users\user\AppData\Roaming\RedLine.exe "C:\Users\user\AppData\Roaming\RedLine.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\system32\user32dll.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im "ViRuS.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\RedLine.exe" "RedLine.exe" ENABLE
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2528
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Source: C:\Windows\SysWOW64\user32dll.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im "user32dll.exe"
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_056251EA AdjustTokenPrivileges, 17_2_056251EA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_056251B3 AdjustTokenPrivileges, 17_2_056251B3
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;ViRuS.exe&quot;)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;user32dll.exe&quot;)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe File created: C:\Users\user\AppData\Local\Temp\Keylogger.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 28_2_00415F87
Source: Keylogger.exe, Windows Update.exe, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Keylogger.exe, Windows Update.exe, vbc.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Keylogger.exe, 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp, Windows Update.exe, 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp, vbc.exe, 0000001C.00000000.394707935.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Keylogger.exe, Windows Update.exe, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Keylogger.exe, Windows Update.exe, vbc.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Keylogger.exe, Windows Update.exe, vbc.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Keylogger.exe, Windows Update.exe, vbc.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\RedLine.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\RedLine.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\RedLine.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle, 28_2_00411196
Source: Keylogger.exe.0.dr, Form1.cs Base64 encoded string: 'Ty3Lk8RnQfYL8aK1VgHq22paeblr7aqlRzHxRfjEXdlNccbW8zqh6kQeot5YJx3a', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: RedLine.MainPanel-cracked.exe.0.dr, Class1.cs Base64 encoded string: 'H4sIAAAAAAAEAO29B2AcSZYlJi9tynt/SvVK1+B0oQiAYBMk2JBAEOzBiM3mkuwdaUcjKasqgcplVmVdZhZAzO2dvPfee++999577733ujudTif33/8/XGZkAWz2zkrayZ4hgKrIHz9+fB8/Ir74qT/p1/i1f41f49f4dej///f//Wv8Gn/XryHP76k/Nz1/EP3/N/ld/p7f5Nf4237sn/9d/65f8/k//7u+mRdNuqqrizpbpNNsuazadJKn9XqZFsv06Zev00U1y8e/8W+c/G4K4+Xpr/FrPP81f+1f42/4vd5lBu5/9Gv8Wr/mb/hr/ga/xq9R0x+/kXy2/JPon9S0+D3l919L8MZjftLL/PmvwT9+zz/81/g1fjP+n/tpf/DzW/1Jv8av8V388hfR/xPvC/P8QxaF93vSX+PX+A28P38D+vvb3t/jNn/X0s92JW15rIq3eejjP2BcN/UUfwC3v0h/4kXv+T3pf+M6L6up4voP/RoC65f22j0JPyH6/0ny89u/Bl75dX+N3+z3IVo++DWYJ367X+PX+PW67W96fsGvtfVrEpLfop+/Dn7+FQ2BSP4g+uzXaX59/IY5a34D/PZr47cfw2/U8tf51q/xa/yWO7/mr/EbEgxq/Jv/UrxRJQBhP/+18Dner37D4PNfG58DWvUbBZ//OvgcsKvfWD//tX4N+o1G+Wv85r/Wr731m9OHW78FfyN9E34Y8G/+a239lgEc+vw3/5fopV9r67eyn6Ptb8Btf2v72W9Gn/0YPvvjqPHvuP3rgRKffOvX+hb6Nd/92r/Fr/F//db4+tf7g/Ev6PTbAgDe/51+DZ7e3/yX/o7084/79QEj2aLxfvIH4QP+1Gv/a/0aL39Nobl89Gulvyah98f/dkS/X0Kj+HV+rd/ql/z6+PHb/JLfAD8aTMcv+TH8WtN7q1/yG+LXrd+ZPm1+Ab76jbjV74Jff2N5/TdxjX9T9+tvJl/+5vLjt8CP3/aX/Jb8/a+N738r/nUbv/7W/Otn+PW34V+/ol+3UnTx23b+/u06f//2nb9/B/779weo35F//Yvx6+/Ev/6f+PV35l9/01+Tfv0F/OvviF9/F/71Y/p163cFmLQD9nft/P0R/c1zAT4hCv3mDY3z10t+vYrw+fXAJ7/jzq/LKuY3wjzX2wSYqVL9Qvqef/tttn4cfPW74Z/fnf4Z/cJf69eShr/tH0eI/Zrccov+SX7LX+e3+HUqavfrMcl+m+TX+sX4Wd+jpr/1b7P1MVr8er/Nb/nrfnL4m/96v/mv++f8hr++gt+iL36b8e/EiP1Gv95vcy/5DX7bX78i8vx6n/wGv8FvI7/9er/tv5H85r/ub/tv/Ja/7m/+6/7mv96f8Hfu/f3/wW//u2/doRd/Y0Gl2gISNJ7kP/jt5ZNf69f6GfReEcq/3m9b3aN/f+G3fk1WJl/+Gr/fX/9r/PZE6V/zd9z5dX6Nn6FPiDa/+a9TP3B4Jr/eb/PnVJ8Ar//r16T//Xq/rf/X7z+692vR98JC9JUw0K8tLPO7/1+/Pk3cr9eMqPlv2xDTJL/hr1+NGS9B+DfqIfxrKF6/xq8xmRi8fsNf4w8jqL8J5uQ3/TUrmslf79f6xZh6g99v9RsSBr/lx7/5x/Xhr2lpeO83Utk4+I8xmx/Xx9537a/FfwqYX+vX+sVg95/52FBo6y41qnZBpX//L6OXLa7+O/yH4w6Z863fYqsLgYf1739fcPjc4fB7/je/Jibjz/kt7/zmd+qf8HD7LX+tX++3+3N+vd/+z9F5OvgIr96pv/KafBU2+bXq38citrVDLQgs//Q+wtx42O6CgYGyIHnw9/+G3Mlbr5PfBJ3wzBz8hfJt5WH/x9FHhIFwwu5Hv1bdxIRlj74d/br//u9PjVVMYhSDlPzGP8agfpfk//p1fsyw1+8/+o0N43ITwieQn09+m9/yW588+80/+c2/9ef8lr8O8awvQXd+7DcXYePRS69ErOQ3ZsmC6Pw2v/mvw+L0m3+LROlbv/m3fvNPSJT+lh+jTviV39iN7jeW0TEt/oNdlajf4tf2pek/+B2ESX7LX6/P0Qd/QMKTf+WR748nhDAlvw1rdKZHS8z6O/6GoLkhxK//J/ydTIWzX+t3/ONJ7fyav+XoNx/9NvUfTGD+kt989NvK5NJvvx3BoR+/vf3gd/htt/YJBP22dd9N8b/zY/TDQt/9ko3Bb/kbkOjIiwRF+eVTvIRmv+WP/ea/wa/9m//Yr/0n/J2/+Y/9O9UDsNFv/htUB/iaAP96vyFG8Ov/9sqE74njbxPB8df69es/EsTbBvF+cyDw6wdgr24G+2v95r/+b1X/saD0H0/28df8rX6r32rroeF1K54dyvxDvwHPz5/8czs/j36D2Pz8hhvn5zf6zX/DX/s3/40wP7+RmZ/f8Ic6P0kA9k++Geyv9Zsn7z0/6a/P8/Nne/Pz6Ncamh+V2g+an9jYD/6cX89pPJqfH8j8/Ca/kwNNU3UDYJpf+vE72g8EPk/lb/qb/ya/9m/+m2Iqf1Mzlb/JD3Uqf+Pf/Df+req/mD77bXlmfsvt33z7t/m1fvFvyjC2aZoeUSM0+cu7TX6zXpO/OmzCo/a//5v9+f9ttw7p41/4ya/32249xrB/MYw2zdsfd5e+R+u/v8ctvy1/p77YZ7+G8cX+AbT+x8O+panr/uBf/XWYmf55j5kyEvatI5Dm9wAh7v8W97d+TwB1H336W3y6dUy/NE/w12/9m//WWyf45Tf/zX/z34ae3+LBb/5bV08xtt+6OsWLz/D7gzT9Nf65X6P6HB98Gx/85gTkjH75LR78Lunvkmqjre/gx6fV70U//oPfVI3Ib6OW4zf/zavn6JU57bf8tRhpz6azvJA79ev9Zr/mb/5b/tq/DfEOM85v23yBL3+z3/w3q15gfL/0S/r3d9n76eYl/fxLfq36X8e8k2f16/2Wv4VA/q1+898aHsPvSr/D+uHnb/WbH1Q/Acx
Source: Windows Update.exe.2.dr, Form1.cs Base64 encoded string: 'Ty3Lk8RnQfYL8aK1VgHq22paeblr7aqlRzHxRfjEXdlNccbW8zqh6kQeot5YJx3a', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 2.0.Keylogger.exe.760000.0.unpack, Form1.cs Base64 encoded string: 'Ty3Lk8RnQfYL8aK1VgHq22paeblr7aqlRzHxRfjEXdlNccbW8zqh6kQeot5YJx3a', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 2.2.Keylogger.exe.760000.0.unpack, Form1.cs Base64 encoded string: 'Ty3Lk8RnQfYL8aK1VgHq22paeblr7aqlRzHxRfjEXdlNccbW8zqh6kQeot5YJx3a', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: RedLine.exe.4.dr, Class1.cs Base64 encoded string: 'H4sIAAAAAAAEAO29B2AcSZYlJi9tynt/SvVK1+B0oQiAYBMk2JBAEOzBiM3mkuwdaUcjKasqgcplVmVdZhZAzO2dvPfee++999577733ujudTif33/8/XGZkAWz2zkrayZ4hgKrIHz9+fB8/Ir74qT/p1/i1f41f49f4dej///f//Wv8Gn/XryHP76k/Nz1/EP3/N/ld/p7f5Nf4237sn/9d/65f8/k//7u+mRdNuqqrizpbpNNsuazadJKn9XqZFsv06Zev00U1y8e/8W+c/G4K4+Xpr/FrPP81f+1f42/4vd5lBu5/9Gv8Wr/mb/hr/ga/xq9R0x+/kXy2/JPon9S0+D3l919L8MZjftLL/PmvwT9+zz/81/g1fjP+n/tpf/DzW/1Jv8av8V388hfR/xPvC/P8QxaF93vSX+PX+A28P38D+vvb3t/jNn/X0s92JW15rIq3eejjP2BcN/UUfwC3v0h/4kXv+T3pf+M6L6up4voP/RoC65f22j0JPyH6/0ny89u/Bl75dX+N3+z3IVo++DWYJ367X+PX+PW67W96fsGvtfVrEpLfop+/Dn7+FQ2BSP4g+uzXaX59/IY5a34D/PZr47cfw2/U8tf51q/xa/yWO7/mr/EbEgxq/Jv/UrxRJQBhP/+18Dner37D4PNfG58DWvUbBZ//OvgcsKvfWD//tX4N+o1G+Wv85r/Wr731m9OHW78FfyN9E34Y8G/+a239lgEc+vw3/5fopV9r67eyn6Ptb8Btf2v72W9Gn/0YPvvjqPHvuP3rgRKffOvX+hb6Nd/92r/Fr/F//db4+tf7g/Ev6PTbAgDe/51+DZ7e3/yX/o7084/79QEj2aLxfvIH4QP+1Gv/a/0aL39Nobl89Gulvyah98f/dkS/X0Kj+HV+rd/ql/z6+PHb/JLfAD8aTMcv+TH8WtN7q1/yG+LXrd+ZPm1+Ab76jbjV74Jff2N5/TdxjX9T9+tvJl/+5vLjt8CP3/aX/Jb8/a+N738r/nUbv/7W/Otn+PW34V+/ol+3UnTx23b+/u06f//2nb9/B/779weo35F//Yvx6+/Ev/6f+PV35l9/01+Tfv0F/OvviF9/F/71Y/p163cFmLQD9nft/P0R/c1zAT4hCv3mDY3z10t+vYrw+fXAJ7/jzq/LKuY3wjzX2wSYqVL9Qvqef/tttn4cfPW74Z/fnf4Z/cJf69eShr/tH0eI/Zrccov+SX7LX+e3+HUqavfrMcl+m+TX+sX4Wd+jpr/1b7P1MVr8er/Nb/nrfnL4m/96v/mv++f8hr++gt+iL36b8e/EiP1Gv95vcy/5DX7bX78i8vx6n/wGv8FvI7/9er/tv5H85r/ub/tv/Ja/7m/+6/7mv96f8Hfu/f3/wW//u2/doRd/Y0Gl2gISNJ7kP/jt5ZNf69f6GfReEcq/3m9b3aN/f+G3fk1WJl/+Gr/fX/9r/PZE6V/zd9z5dX6Nn6FPiDa/+a9TP3B4Jr/eb/PnVJ8Ar//r16T//Xq/rf/X7z+692vR98JC9JUw0K8tLPO7/1+/Pk3cr9eMqPlv2xDTJL/hr1+NGS9B+DfqIfxrKF6/xq8xmRi8fsNf4w8jqL8J5uQ3/TUrmslf79f6xZh6g99v9RsSBr/lx7/5x/Xhr2lpeO83Utk4+I8xmx/Xx9537a/FfwqYX+vX+sVg95/52FBo6y41qnZBpX//L6OXLa7+O/yH4w6Z863fYqsLgYf1739fcPjc4fB7/je/Jibjz/kt7/zmd+qf8HD7LX+tX++3+3N+vd/+z9F5OvgIr96pv/KafBU2+bXq38citrVDLQgs//Q+wtx42O6CgYGyIHnw9/+G3Mlbr5PfBJ3wzBz8hfJt5WH/x9FHhIFwwu5Hv1bdxIRlj74d/br//u9PjVVMYhSDlPzGP8agfpfk//p1fsyw1+8/+o0N43ITwieQn09+m9/yW588+80/+c2/9ef8lr8O8awvQXd+7DcXYePRS69ErOQ3ZsmC6Pw2v/mvw+L0m3+LROlbv/m3fvNPSJT+lh+jTviV39iN7jeW0TEt/oNdlajf4tf2pek/+B2ESX7LX6/P0Qd/QMKTf+WR748nhDAlvw1rdKZHS8z6O/6GoLkhxK//J/ydTIWzX+t3/ONJ7fyav+XoNx/9NvUfTGD+kt989NvK5NJvvx3BoR+/vf3gd/htt/YJBP22dd9N8b/zY/TDQt/9ko3Bb/kbkOjIiwRF+eVTvIRmv+WP/ea/wa/9m//Yr/0n/J2/+Y/9O9UDsNFv/htUB/iaAP96vyFG8Ov/9sqE74njbxPB8df69es/EsTbBvF+cyDw6wdgr24G+2v95r/+b1X/saD0H0/28df8rX6r32rroeF1K54dyvxDvwHPz5/8czs/j36D2Pz8hhvn5zf6zX/DX/s3/40wP7+RmZ/f8Ic6P0kA9k++Geyv9Zsn7z0/6a/P8/Nne/Pz6Ncamh+V2g+an9jYD/6cX89pPJqfH8j8/Ca/kwNNU3UDYJpf+vE72g8EPk/lb/qb/ya/9m/+m2Iqf1Mzlb/JD3Uqf+Pf/Df+req/mD77bXlmfsvt33z7t/m1fvFvyjC2aZoeUSM0+cu7TX6zXpO/OmzCo/a//5v9+f9ttw7p41/4ya/32249xrB/MYw2zdsfd5e+R+u/v8ctvy1/p77YZ7+G8cX+AbT+x8O+panr/uBf/XWYmf55j5kyEvatI5Dm9wAh7v8W97d+TwB1H336W3y6dUy/NE/w12/9m//WWyf45Tf/zX/z34ae3+LBb/5bV08xtt+6OsWLz/D7gzT9Nf65X6P6HB98Gx/85gTkjH75LR78Lunvkmqjre/gx6fV70U//oPfVI3Ib6OW4zf/zavn6JU57bf8tRhpz6azvJA79ev9Zr/mb/5b/tq/DfEOM85v23yBL3+z3/w3q15gfL/0S/r3d9n76eYl/fxLfq36X8e8k2f16/2Wv4VA/q1+898aHsPvSr/D+uHnb/WbH1Q/Acx
Source: 4.0.RedLine.MainPanel-cracked.exe.550000.0.unpack, Class1.cs Base64 encoded string: 'H4sIAAAAAAAEAO29B2AcSZYlJi9tynt/SvVK1+B0oQiAYBMk2JBAEOzBiM3mkuwdaUcjKasqgcplVmVdZhZAzO2dvPfee++999577733ujudTif33/8/XGZkAWz2zkrayZ4hgKrIHz9+fB8/Ir74qT/p1/i1f41f49f4dej///f//Wv8Gn/XryHP76k/Nz1/EP3/N/ld/p7f5Nf4237sn/9d/65f8/k//7u+mRdNuqqrizpbpNNsuazadJKn9XqZFsv06Zev00U1y8e/8W+c/G4K4+Xpr/FrPP81f+1f42/4vd5lBu5/9Gv8Wr/mb/hr/ga/xq9R0x+/kXy2/JPon9S0+D3l919L8MZjftLL/PmvwT9+zz/81/g1fjP+n/tpf/DzW/1Jv8av8V388hfR/xPvC/P8QxaF93vSX+PX+A28P38D+vvb3t/jNn/X0s92JW15rIq3eejjP2BcN/UUfwC3v0h/4kXv+T3pf+M6L6up4voP/RoC65f22j0JPyH6/0ny89u/Bl75dX+N3+z3IVo++DWYJ367X+PX+PW67W96fsGvtfVrEpLfop+/Dn7+FQ2BSP4g+uzXaX59/IY5a34D/PZr47cfw2/U8tf51q/xa/yWO7/mr/EbEgxq/Jv/UrxRJQBhP/+18Dner37D4PNfG58DWvUbBZ//OvgcsKvfWD//tX4N+o1G+Wv85r/Wr731m9OHW78FfyN9E34Y8G/+a239lgEc+vw3/5fopV9r67eyn6Ptb8Btf2v72W9Gn/0YPvvjqPHvuP3rgRKffOvX+hb6Nd/92r/Fr/F//db4+tf7g/Ev6PTbAgDe/51+DZ7e3/yX/o7084/79QEj2aLxfvIH4QP+1Gv/a/0aL39Nobl89Gulvyah98f/dkS/X0Kj+HV+rd/ql/z6+PHb/JLfAD8aTMcv+TH8WtN7q1/yG+LXrd+ZPm1+Ab76jbjV74Jff2N5/TdxjX9T9+tvJl/+5vLjt8CP3/aX/Jb8/a+N738r/nUbv/7W/Otn+PW34V+/ol+3UnTx23b+/u06f//2nb9/B/779weo35F//Yvx6+/Ev/6f+PV35l9/01+Tfv0F/OvviF9/F/71Y/p163cFmLQD9nft/P0R/c1zAT4hCv3mDY3z10t+vYrw+fXAJ7/jzq/LKuY3wjzX2wSYqVL9Qvqef/tttn4cfPW74Z/fnf4Z/cJf69eShr/tH0eI/Zrccov+SX7LX+e3+HUqavfrMcl+m+TX+sX4Wd+jpr/1b7P1MVr8er/Nb/nrfnL4m/96v/mv++f8hr++gt+iL36b8e/EiP1Gv95vcy/5DX7bX78i8vx6n/wGv8FvI7/9er/tv5H85r/ub/tv/Ja/7m/+6/7mv96f8Hfu/f3/wW//u2/doRd/Y0Gl2gISNJ7kP/jt5ZNf69f6GfReEcq/3m9b3aN/f+G3fk1WJl/+Gr/fX/9r/PZE6V/zd9z5dX6Nn6FPiDa/+a9TP3B4Jr/eb/PnVJ8Ar//r16T//Xq/rf/X7z+692vR98JC9JUw0K8tLPO7/1+/Pk3cr9eMqPlv2xDTJL/hr1+NGS9B+DfqIfxrKF6/xq8xmRi8fsNf4w8jqL8J5uQ3/TUrmslf79f6xZh6g99v9RsSBr/lx7/5x/Xhr2lpeO83Utk4+I8xmx/Xx9537a/FfwqYX+vX+sVg95/52FBo6y41qnZBpX//L6OXLa7+O/yH4w6Z863fYqsLgYf1739fcPjc4fB7/je/Jibjz/kt7/zmd+qf8HD7LX+tX++3+3N+vd/+z9F5OvgIr96pv/KafBU2+bXq38citrVDLQgs//Q+wtx42O6CgYGyIHnw9/+G3Mlbr5PfBJ3wzBz8hfJt5WH/x9FHhIFwwu5Hv1bdxIRlj74d/br//u9PjVVMYhSDlPzGP8agfpfk//p1fsyw1+8/+o0N43ITwieQn09+m9/yW588+80/+c2/9ef8lr8O8awvQXd+7DcXYePRS69ErOQ3ZsmC6Pw2v/mvw+L0m3+LROlbv/m3fvNPSJT+lh+jTviV39iN7jeW0TEt/oNdlajf4tf2pek/+B2ESX7LX6/P0Qd/QMKTf+WR748nhDAlvw1rdKZHS8z6O/6GoLkhxK//J/ydTIWzX+t3/ONJ7fyav+XoNx/9NvUfTGD+kt989NvK5NJvvx3BoR+/vf3gd/htt/YJBP22dd9N8b/zY/TDQt/9ko3Bb/kbkOjIiwRF+eVTvIRmv+WP/ea/wa/9m//Yr/0n/J2/+Y/9O9UDsNFv/htUB/iaAP96vyFG8Ov/9sqE74njbxPB8df69es/EsTbBvF+cyDw6wdgr24G+2v95r/+b1X/saD0H0/28df8rX6r32rroeF1K54dyvxDvwHPz5/8czs/j36D2Pz8hhvn5zf6zX/DX/s3/40wP7+RmZ/f8Ic6P0kA9k++Geyv9Zsn7z0/6a/P8/Nne/Pz6Ncamh+V2g+an9jYD/6cX89pPJqfH8j8/Ca/kwNNU3UDYJpf+vE72g8EPk/lb/qb/ya/9m/+m2Iqf1Mzlb/JD3Uqf+Pf/Df+req/mD77bXlmfsvt33z7t/m1fvFvyjC2aZoeUSM0+cu7TX6zXpO/OmzCo/a//5v9+f9ttw7p41/4ya/32249xrB/MYw2zdsfd5e+R+u/v8ctvy1/p77YZ7+G8cX+AbT+x8O+panr/uBf/XWYmf55j5kyEvatI5Dm9wAh7v8W97d+TwB1H336W3y6dUy/NE/w12/9m//WWyf45Tf/zX/z34ae3+LBb/5bV08xtt+6OsWLz/D7gzT9Nf65X6P6HB98Gx/85gTkjH75LR78Lunvkmqjre/gx6fV70U//oPfVI3Ib6OW4zf/zavn6JU57bf8tRhpz6azvJA79ev9Zr/mb/5b/tq/DfEOM85v23yBL3+z3/w3q15gfL/0S/r3d9n76eYl/fxLfq36X8e8k2f16/2Wv4VA/q1+898aHsPvSr/D+uHnb/WbH1Q/Acx
Source: 4.2.RedLine.MainPanel-cracked.exe.550000.0.unpack, Class1.cs Base64 encoded string: 'H4sIAAAAAAAEAO29B2AcSZYlJi9tynt/SvVK1+B0oQiAYBMk2JBAEOzBiM3mkuwdaUcjKasqgcplVmVdZhZAzO2dvPfee++999577733ujudTif33/8/XGZkAWz2zkrayZ4hgKrIHz9+fB8/Ir74qT/p1/i1f41f49f4dej///f//Wv8Gn/XryHP76k/Nz1/EP3/N/ld/p7f5Nf4237sn/9d/65f8/k//7u+mRdNuqqrizpbpNNsuazadJKn9XqZFsv06Zev00U1y8e/8W+c/G4K4+Xpr/FrPP81f+1f42/4vd5lBu5/9Gv8Wr/mb/hr/ga/xq9R0x+/kXy2/JPon9S0+D3l919L8MZjftLL/PmvwT9+zz/81/g1fjP+n/tpf/DzW/1Jv8av8V388hfR/xPvC/P8QxaF93vSX+PX+A28P38D+vvb3t/jNn/X0s92JW15rIq3eejjP2BcN/UUfwC3v0h/4kXv+T3pf+M6L6up4voP/RoC65f22j0JPyH6/0ny89u/Bl75dX+N3+z3IVo++DWYJ367X+PX+PW67W96fsGvtfVrEpLfop+/Dn7+FQ2BSP4g+uzXaX59/IY5a34D/PZr47cfw2/U8tf51q/xa/yWO7/mr/EbEgxq/Jv/UrxRJQBhP/+18Dner37D4PNfG58DWvUbBZ//OvgcsKvfWD//tX4N+o1G+Wv85r/Wr731m9OHW78FfyN9E34Y8G/+a239lgEc+vw3/5fopV9r67eyn6Ptb8Btf2v72W9Gn/0YPvvjqPHvuP3rgRKffOvX+hb6Nd/92r/Fr/F//db4+tf7g/Ev6PTbAgDe/51+DZ7e3/yX/o7084/79QEj2aLxfvIH4QP+1Gv/a/0aL39Nobl89Gulvyah98f/dkS/X0Kj+HV+rd/ql/z6+PHb/JLfAD8aTMcv+TH8WtN7q1/yG+LXrd+ZPm1+Ab76jbjV74Jff2N5/TdxjX9T9+tvJl/+5vLjt8CP3/aX/Jb8/a+N738r/nUbv/7W/Otn+PW34V+/ol+3UnTx23b+/u06f//2nb9/B/779weo35F//Yvx6+/Ev/6f+PV35l9/01+Tfv0F/OvviF9/F/71Y/p163cFmLQD9nft/P0R/c1zAT4hCv3mDY3z10t+vYrw+fXAJ7/jzq/LKuY3wjzX2wSYqVL9Qvqef/tttn4cfPW74Z/fnf4Z/cJf69eShr/tH0eI/Zrccov+SX7LX+e3+HUqavfrMcl+m+TX+sX4Wd+jpr/1b7P1MVr8er/Nb/nrfnL4m/96v/mv++f8hr++gt+iL36b8e/EiP1Gv95vcy/5DX7bX78i8vx6n/wGv8FvI7/9er/tv5H85r/ub/tv/Ja/7m/+6/7mv96f8Hfu/f3/wW//u2/doRd/Y0Gl2gISNJ7kP/jt5ZNf69f6GfReEcq/3m9b3aN/f+G3fk1WJl/+Gr/fX/9r/PZE6V/zd9z5dX6Nn6FPiDa/+a9TP3B4Jr/eb/PnVJ8Ar//r16T//Xq/rf/X7z+692vR98JC9JUw0K8tLPO7/1+/Pk3cr9eMqPlv2xDTJL/hr1+NGS9B+DfqIfxrKF6/xq8xmRi8fsNf4w8jqL8J5uQ3/TUrmslf79f6xZh6g99v9RsSBr/lx7/5x/Xhr2lpeO83Utk4+I8xmx/Xx9537a/FfwqYX+vX+sVg95/52FBo6y41qnZBpX//L6OXLa7+O/yH4w6Z863fYqsLgYf1739fcPjc4fB7/je/Jibjz/kt7/zmd+qf8HD7LX+tX++3+3N+vd/+z9F5OvgIr96pv/KafBU2+bXq38citrVDLQgs//Q+wtx42O6CgYGyIHnw9/+G3Mlbr5PfBJ3wzBz8hfJt5WH/x9FHhIFwwu5Hv1bdxIRlj74d/br//u9PjVVMYhSDlPzGP8agfpfk//p1fsyw1+8/+o0N43ITwieQn09+m9/yW588+80/+c2/9ef8lr8O8awvQXd+7DcXYePRS69ErOQ3ZsmC6Pw2v/mvw+L0m3+LROlbv/m3fvNPSJT+lh+jTviV39iN7jeW0TEt/oNdlajf4tf2pek/+B2ESX7LX6/P0Qd/QMKTf+WR748nhDAlvw1rdKZHS8z6O/6GoLkhxK//J/ydTIWzX+t3/ONJ7fyav+XoNx/9NvUfTGD+kt989NvK5NJvvx3BoR+/vf3gd/htt/YJBP22dd9N8b/zY/TDQt/9ko3Bb/kbkOjIiwRF+eVTvIRmv+WP/ea/wa/9m//Yr/0n/J2/+Y/9O9UDsNFv/htUB/iaAP96vyFG8Ov/9sqE74njbxPB8df69es/EsTbBvF+cyDw6wdgr24G+2v95r/+b1X/saD0H0/28df8rX6r32rroeF1K54dyvxDvwHPz5/8czs/j36D2Pz8hhvn5zf6zX/DX/s3/40wP7+RmZ/f8Ic6P0kA9k++Geyv9Zsn7z0/6a/P8/Nne/Pz6Ncamh+V2g+an9jYD/6cX89pPJqfH8j8/Ca/kwNNU3UDYJpf+vE72g8EPk/lb/qb/ya/9m/+m2Iqf1Mzlb/JD3Uqf+Pf/Df+req/mD77bXlmfsvt33z7t/m1fvFvyjC2aZoeUSM0+cu7TX6zXpO/OmzCo/a//5v9+f9ttw7p41/4ya/32249xrB/MYw2zdsfd5e+R+u/v8ctvy1/p77YZ7+G8cX+AbT+x8O+panr/uBf/XWYmf55j5kyEvatI5Dm9wAh7v8W97d+TwB1H336W3y6dUy/NE/w12/9m//WWyf45Tf/zX/z34ae3+LBb/5bV08xtt+6OsWLz/D7gzT9Nf65X6P6HB98Gx/85gTkjH75LR78Lunvkmqjre/gx6fV70U//oPfVI3Ib6OW4zf/zavn6JU57bf8tRhpz6azvJA79ev9Zr/mb/5b/tq/DfEOM85v23yBL3+z3/w3q15gfL/0S/r3d9n76eYl/fxLfq36X8e8k2f16/2Wv4VA/q1+898aHsPvSr/D+uHnb/WbH1Q/Acx
Source: 5.0.RedLine.MainPanel-cracked.exe.340000.0.unpack, Class1.cs Base64 encoded string: 'H4sIAAAAAAAEAO29B2AcSZYlJi9tynt/SvVK1+B0oQiAYBMk2JBAEOzBiM3mkuwdaUcjKasqgcplVmVdZhZAzO2dvPfee++999577733ujudTif33/8/XGZkAWz2zkrayZ4hgKrIHz9+fB8/Ir74qT/p1/i1f41f49f4dej///f//Wv8Gn/XryHP76k/Nz1/EP3/N/ld/p7f5Nf4237sn/9d/65f8/k//7u+mRdNuqqrizpbpNNsuazadJKn9XqZFsv06Zev00U1y8e/8W+c/G4K4+Xpr/FrPP81f+1f42/4vd5lBu5/9Gv8Wr/mb/hr/ga/xq9R0x+/kXy2/JPon9S0+D3l919L8MZjftLL/PmvwT9+zz/81/g1fjP+n/tpf/DzW/1Jv8av8V388hfR/xPvC/P8QxaF93vSX+PX+A28P38D+vvb3t/jNn/X0s92JW15rIq3eejjP2BcN/UUfwC3v0h/4kXv+T3pf+M6L6up4voP/RoC65f22j0JPyH6/0ny89u/Bl75dX+N3+z3IVo++DWYJ367X+PX+PW67W96fsGvtfVrEpLfop+/Dn7+FQ2BSP4g+uzXaX59/IY5a34D/PZr47cfw2/U8tf51q/xa/yWO7/mr/EbEgxq/Jv/UrxRJQBhP/+18Dner37D4PNfG58DWvUbBZ//OvgcsKvfWD//tX4N+o1G+Wv85r/Wr731m9OHW78FfyN9E34Y8G/+a239lgEc+vw3/5fopV9r67eyn6Ptb8Btf2v72W9Gn/0YPvvjqPHvuP3rgRKffOvX+hb6Nd/92r/Fr/F//db4+tf7g/Ev6PTbAgDe/51+DZ7e3/yX/o7084/79QEj2aLxfvIH4QP+1Gv/a/0aL39Nobl89Gulvyah98f/dkS/X0Kj+HV+rd/ql/z6+PHb/JLfAD8aTMcv+TH8WtN7q1/yG+LXrd+ZPm1+Ab76jbjV74Jff2N5/TdxjX9T9+tvJl/+5vLjt8CP3/aX/Jb8/a+N738r/nUbv/7W/Otn+PW34V+/ol+3UnTx23b+/u06f//2nb9/B/779weo35F//Yvx6+/Ev/6f+PV35l9/01+Tfv0F/OvviF9/F/71Y/p163cFmLQD9nft/P0R/c1zAT4hCv3mDY3z10t+vYrw+fXAJ7/jzq/LKuY3wjzX2wSYqVL9Qvqef/tttn4cfPW74Z/fnf4Z/cJf69eShr/tH0eI/Zrccov+SX7LX+e3+HUqavfrMcl+m+TX+sX4Wd+jpr/1b7P1MVr8er/Nb/nrfnL4m/96v/mv++f8hr++gt+iL36b8e/EiP1Gv95vcy/5DX7bX78i8vx6n/wGv8FvI7/9er/tv5H85r/ub/tv/Ja/7m/+6/7mv96f8Hfu/f3/wW//u2/doRd/Y0Gl2gISNJ7kP/jt5ZNf69f6GfReEcq/3m9b3aN/f+G3fk1WJl/+Gr/fX/9r/PZE6V/zd9z5dX6Nn6FPiDa/+a9TP3B4Jr/eb/PnVJ8Ar//r16T//Xq/rf/X7z+692vR98JC9JUw0K8tLPO7/1+/Pk3cr9eMqPlv2xDTJL/hr1+NGS9B+DfqIfxrKF6/xq8xmRi8fsNf4w8jqL8J5uQ3/TUrmslf79f6xZh6g99v9RsSBr/lx7/5x/Xhr2lpeO83Utk4+I8xmx/Xx9537a/FfwqYX+vX+sVg95/52FBo6y41qnZBpX//L6OXLa7+O/yH4w6Z863fYqsLgYf1739fcPjc4fB7/je/Jibjz/kt7/zmd+qf8HD7LX+tX++3+3N+vd/+z9F5OvgIr96pv/KafBU2+bXq38citrVDLQgs//Q+wtx42O6CgYGyIHnw9/+G3Mlbr5PfBJ3wzBz8hfJt5WH/x9FHhIFwwu5Hv1bdxIRlj74d/br//u9PjVVMYhSDlPzGP8agfpfk//p1fsyw1+8/+o0N43ITwieQn09+m9/yW588+80/+c2/9ef8lr8O8awvQXd+7DcXYePRS69ErOQ3ZsmC6Pw2v/mvw+L0m3+LROlbv/m3fvNPSJT+lh+jTviV39iN7jeW0TEt/oNdlajf4tf2pek/+B2ESX7LX6/P0Qd/QMKTf+WR748nhDAlvw1rdKZHS8z6O/6GoLkhxK//J/ydTIWzX+t3/ONJ7fyav+XoNx/9NvUfTGD+kt989NvK5NJvvx3BoR+/vf3gd/htt/YJBP22dd9N8b/zY/TDQt/9ko3Bb/kbkOjIiwRF+eVTvIRmv+WP/ea/wa/9m//Yr/0n/J2/+Y/9O9UDsNFv/htUB/iaAP96vyFG8Ov/9sqE74njbxPB8df69es/EsTbBvF+cyDw6wdgr24G+2v95r/+b1X/saD0H0/28df8rX6r32rroeF1K54dyvxDvwHPz5/8czs/j36D2Pz8hhvn5zf6zX/DX/s3/40wP7+RmZ/f8Ic6P0kA9k++Geyv9Zsn7z0/6a/P8/Nne/Pz6Ncamh+V2g+an9jYD/6cX89pPJqfH8j8/Ca/kwNNU3UDYJpf+vE72g8EPk/lb/qb/ya/9m/+m2Iqf1Mzlb/JD3Uqf+Pf/Df+req/mD77bXlmfsvt33z7t/m1fvFvyjC2aZoeUSM0+cu7TX6zXpO/OmzCo/a//5v9+f9ttw7p41/4ya/32249xrB/MYw2zdsfd5e+R+u/v8ctvy1/p77YZ7+G8cX+AbT+x8O+panr/uBf/XWYmf55j5kyEvatI5Dm9wAh7v8W97d+TwB1H336W3y6dUy/NE/w12/9m//WWyf45Tf/zX/z34ae3+LBb/5bV08xtt+6OsWLz/D7gzT9Nf65X6P6HB98Gx/85gTkjH75LR78Lunvkmqjre/gx6fV70U//oPfVI3Ib6OW4zf/zavn6JU57bf8tRhpz6azvJA79ev9Zr/mb/5b/tq/DfEOM85v23yBL3+z3/w3q15gfL/0S/r3d9n76eYl/fxLfq36X8e8k2f16/2Wv4VA/q1+898aHsPvSr/D+uHnb/WbH1Q/Acx
Source: 5.2.RedLine.MainPanel-cracked.exe.340000.0.unpack, Class1.cs Base64 encoded string: 'H4sIAAAAAAAEAO29B2AcSZYlJi9tynt/SvVK1+B0oQiAYBMk2JBAEOzBiM3mkuwdaUcjKasqgcplVmVdZhZAzO2dvPfee++999577733ujudTif33/8/XGZkAWz2zkrayZ4hgKrIHz9+fB8/Ir74qT/p1/i1f41f49f4dej///f//Wv8Gn/XryHP76k/Nz1/EP3/N/ld/p7f5Nf4237sn/9d/65f8/k//7u+mRdNuqqrizpbpNNsuazadJKn9XqZFsv06Zev00U1y8e/8W+c/G4K4+Xpr/FrPP81f+1f42/4vd5lBu5/9Gv8Wr/mb/hr/ga/xq9R0x+/kXy2/JPon9S0+D3l919L8MZjftLL/PmvwT9+zz/81/g1fjP+n/tpf/DzW/1Jv8av8V388hfR/xPvC/P8QxaF93vSX+PX+A28P38D+vvb3t/jNn/X0s92JW15rIq3eejjP2BcN/UUfwC3v0h/4kXv+T3pf+M6L6up4voP/RoC65f22j0JPyH6/0ny89u/Bl75dX+N3+z3IVo++DWYJ367X+PX+PW67W96fsGvtfVrEpLfop+/Dn7+FQ2BSP4g+uzXaX59/IY5a34D/PZr47cfw2/U8tf51q/xa/yWO7/mr/EbEgxq/Jv/UrxRJQBhP/+18Dner37D4PNfG58DWvUbBZ//OvgcsKvfWD//tX4N+o1G+Wv85r/Wr731m9OHW78FfyN9E34Y8G/+a239lgEc+vw3/5fopV9r67eyn6Ptb8Btf2v72W9Gn/0YPvvjqPHvuP3rgRKffOvX+hb6Nd/92r/Fr/F//db4+tf7g/Ev6PTbAgDe/51+DZ7e3/yX/o7084/79QEj2aLxfvIH4QP+1Gv/a/0aL39Nobl89Gulvyah98f/dkS/X0Kj+HV+rd/ql/z6+PHb/JLfAD8aTMcv+TH8WtN7q1/yG+LXrd+ZPm1+Ab76jbjV74Jff2N5/TdxjX9T9+tvJl/+5vLjt8CP3/aX/Jb8/a+N738r/nUbv/7W/Otn+PW34V+/ol+3UnTx23b+/u06f//2nb9/B/779weo35F//Yvx6+/Ev/6f+PV35l9/01+Tfv0F/OvviF9/F/71Y/p163cFmLQD9nft/P0R/c1zAT4hCv3mDY3z10t+vYrw+fXAJ7/jzq/LKuY3wjzX2wSYqVL9Qvqef/tttn4cfPW74Z/fnf4Z/cJf69eShr/tH0eI/Zrccov+SX7LX+e3+HUqavfrMcl+m+TX+sX4Wd+jpr/1b7P1MVr8er/Nb/nrfnL4m/96v/mv++f8hr++gt+iL36b8e/EiP1Gv95vcy/5DX7bX78i8vx6n/wGv8FvI7/9er/tv5H85r/ub/tv/Ja/7m/+6/7mv96f8Hfu/f3/wW//u2/doRd/Y0Gl2gISNJ7kP/jt5ZNf69f6GfReEcq/3m9b3aN/f+G3fk1WJl/+Gr/fX/9r/PZE6V/zd9z5dX6Nn6FPiDa/+a9TP3B4Jr/eb/PnVJ8Ar//r16T//Xq/rf/X7z+692vR98JC9JUw0K8tLPO7/1+/Pk3cr9eMqPlv2xDTJL/hr1+NGS9B+DfqIfxrKF6/xq8xmRi8fsNf4w8jqL8J5uQ3/TUrmslf79f6xZh6g99v9RsSBr/lx7/5x/Xhr2lpeO83Utk4+I8xmx/Xx9537a/FfwqYX+vX+sVg95/52FBo6y41qnZBpX//L6OXLa7+O/yH4w6Z863fYqsLgYf1739fcPjc4fB7/je/Jibjz/kt7/zmd+qf8HD7LX+tX++3+3N+vd/+z9F5OvgIr96pv/KafBU2+bXq38citrVDLQgs//Q+wtx42O6CgYGyIHnw9/+G3Mlbr5PfBJ3wzBz8hfJt5WH/x9FHhIFwwu5Hv1bdxIRlj74d/br//u9PjVVMYhSDlPzGP8agfpfk//p1fsyw1+8/+o0N43ITwieQn09+m9/yW588+80/+c2/9ef8lr8O8awvQXd+7DcXYePRS69ErOQ3ZsmC6Pw2v/mvw+L0m3+LROlbv/m3fvNPSJT+lh+jTviV39iN7jeW0TEt/oNdlajf4tf2pek/+B2ESX7LX6/P0Qd/QMKTf+WR748nhDAlvw1rdKZHS8z6O/6GoLkhxK//J/ydTIWzX+t3/ONJ7fyav+XoNx/9NvUfTGD+kt989NvK5NJvvx3BoR+/vf3gd/htt/YJBP22dd9N8b/zY/TDQt/9ko3Bb/kbkOjIiwRF+eVTvIRmv+WP/ea/wa/9m//Yr/0n/J2/+Y/9O9UDsNFv/htUB/iaAP96vyFG8Ov/9sqE74njbxPB8df69es/EsTbBvF+cyDw6wdgr24G+2v95r/+b1X/saD0H0/28df8rX6r32rroeF1K54dyvxDvwHPz5/8czs/j36D2Pz8hhvn5zf6zX/DX/s3/40wP7+RmZ/f8Ic6P0kA9k++Geyv9Zsn7z0/6a/P8/Nne/Pz6Ncamh+V2g+an9jYD/6cX89pPJqfH8j8/Ca/kwNNU3UDYJpf+vE72g8EPk/lb/qb/ya/9m/+m2Iqf1Mzlb/JD3Uqf+Pf/Df+req/mD77bXlmfsvt33z7t/m1fvFvyjC2aZoeUSM0+cu7TX6zXpO/OmzCo/a//5v9+f9ttw7p41/4ya/32249xrB/MYw2zdsfd5e+R+u/v8ctvy1/p77YZ7+G8cX+AbT+x8O+panr/uBf/XWYmf55j5kyEvatI5Dm9wAh7v8W97d+TwB1H336W3y6dUy/NE/w12/9m//WWyf45Tf/zX/z34ae3+LBb/5bV08xtt+6OsWLz/D7gzT9Nf65X6P6HB98Gx/85gTkjH75LR78Lunvkmqjre/gx6fV70U//oPfVI3Ib6OW4zf/zavn6JU57bf8tRhpz6azvJA79ev9Zr/mb/5b/tq/DfEOM85v23yBL3+z3/w3q15gfL/0S/r3d9n76eYl/fxLfq36X8e8k2f16/2Wv4VA/q1+898aHsPvSr/D+uHnb/WbH1Q/Acx
Source: 61bc7bd88d10e97264127fe545415b17.exe.16.dr, Class1.cs Base64 encoded string: 'H4sIAAAAAAAEAO29B2AcSZYlJi9tynt/SvVK1+B0oQiAYBMk2JBAEOzBiM3mkuwdaUcjKasqgcplVmVdZhZAzO2dvPfee++999577733ujudTif33/8/XGZkAWz2zkrayZ4hgKrIHz9+fB8/Ir74qT/p1/i1f41f49f4dej///f//Wv8Gn/XryHP76k/Nz1/EP3/N/ld/p7f5Nf4237sn/9d/65f8/k//7u+mRdNuqqrizpbpNNsuazadJKn9XqZFsv06Zev00U1y8e/8W+c/G4K4+Xpr/FrPP81f+1f42/4vd5lBu5/9Gv8Wr/mb/hr/ga/xq9R0x+/kXy2/JPon9S0+D3l919L8MZjftLL/PmvwT9+zz/81/g1fjP+n/tpf/DzW/1Jv8av8V388hfR/xPvC/P8QxaF93vSX+PX+A28P38D+vvb3t/jNn/X0s92JW15rIq3eejjP2BcN/UUfwC3v0h/4kXv+T3pf+M6L6up4voP/RoC65f22j0JPyH6/0ny89u/Bl75dX+N3+z3IVo++DWYJ367X+PX+PW67W96fsGvtfVrEpLfop+/Dn7+FQ2BSP4g+uzXaX59/IY5a34D/PZr47cfw2/U8tf51q/xa/yWO7/mr/EbEgxq/Jv/UrxRJQBhP/+18Dner37D4PNfG58DWvUbBZ//OvgcsKvfWD//tX4N+o1G+Wv85r/Wr731m9OHW78FfyN9E34Y8G/+a239lgEc+vw3/5fopV9r67eyn6Ptb8Btf2v72W9Gn/0YPvvjqPHvuP3rgRKffOvX+hb6Nd/92r/Fr/F//db4+tf7g/Ev6PTbAgDe/51+DZ7e3/yX/o7084/79QEj2aLxfvIH4QP+1Gv/a/0aL39Nobl89Gulvyah98f/dkS/X0Kj+HV+rd/ql/z6+PHb/JLfAD8aTMcv+TH8WtN7q1/yG+LXrd+ZPm1+Ab76jbjV74Jff2N5/TdxjX9T9+tvJl/+5vLjt8CP3/aX/Jb8/a+N738r/nUbv/7W/Otn+PW34V+/ol+3UnTx23b+/u06f//2nb9/B/779weo35F//Yvx6+/Ev/6f+PV35l9/01+Tfv0F/OvviF9/F/71Y/p163cFmLQD9nft/P0R/c1zAT4hCv3mDY3z10t+vYrw+fXAJ7/jzq/LKuY3wjzX2wSYqVL9Qvqef/tttn4cfPW74Z/fnf4Z/cJf69eShr/tH0eI/Zrccov+SX7LX+e3+HUqavfrMcl+m+TX+sX4Wd+jpr/1b7P1MVr8er/Nb/nrfnL4m/96v/mv++f8hr++gt+iL36b8e/EiP1Gv95vcy/5DX7bX78i8vx6n/wGv8FvI7/9er/tv5H85r/ub/tv/Ja/7m/+6/7mv96f8Hfu/f3/wW//u2/doRd/Y0Gl2gISNJ7kP/jt5ZNf69f6GfReEcq/3m9b3aN/f+G3fk1WJl/+Gr/fX/9r/PZE6V/zd9z5dX6Nn6FPiDa/+a9TP3B4Jr/eb/PnVJ8Ar//r16T//Xq/rf/X7z+692vR98JC9JUw0K8tLPO7/1+/Pk3cr9eMqPlv2xDTJL/hr1+NGS9B+DfqIfxrKF6/xq8xmRi8fsNf4w8jqL8J5uQ3/TUrmslf79f6xZh6g99v9RsSBr/lx7/5x/Xhr2lpeO83Utk4+I8xmx/Xx9537a/FfwqYX+vX+sVg95/52FBo6y41qnZBpX//L6OXLa7+O/yH4w6Z863fYqsLgYf1739fcPjc4fB7/je/Jibjz/kt7/zmd+qf8HD7LX+tX++3+3N+vd/+z9F5OvgIr96pv/KafBU2+bXq38citrVDLQgs//Q+wtx42O6CgYGyIHnw9/+G3Mlbr5PfBJ3wzBz8hfJt5WH/x9FHhIFwwu5Hv1bdxIRlj74d/br//u9PjVVMYhSDlPzGP8agfpfk//p1fsyw1+8/+o0N43ITwieQn09+m9/yW588+80/+c2/9ef8lr8O8awvQXd+7DcXYePRS69ErOQ3ZsmC6Pw2v/mvw+L0m3+LROlbv/m3fvNPSJT+lh+jTviV39iN7jeW0TEt/oNdlajf4tf2pek/+B2ESX7LX6/P0Qd/QMKTf+WR748nhDAlvw1rdKZHS8z6O/6GoLkhxK//J/ydTIWzX+t3/ONJ7fyav+XoNx/9NvUfTGD+kt989NvK5NJvvx3BoR+/vf3gd/htt/YJBP22dd9N8b/zY/TDQt/9ko3Bb/kbkOjIiwRF+eVTvIRmv+WP/ea/wa/9m//Yr/0n/J2/+Y/9O9UDsNFv/htUB/iaAP96vyFG8Ov/9sqE74njbxPB8df69es/EsTbBvF+cyDw6wdgr24G+2v95r/+b1X/saD0H0/28df8rX6r32rroeF1K54dyvxDvwHPz5/8czs/j36D2Pz8hhvn5zf6zX/DX/s3/40wP7+RmZ/f8Ic6P0kA9k++Geyv9Zsn7z0/6a/P8/Nne/Pz6Ncamh+V2g+an9jYD/6cX89pPJqfH8j8/Ca/kwNNU3UDYJpf+vE72g8EPk/lb/qb/ya/9m/+m2Iqf1Mzlb/JD3Uqf+Pf/Df+req/mD77bXlmfsvt33z7t/m1fvFvyjC2aZoeUSM0+cu7TX6zXpO/OmzCo/a//5v9+f9ttw7p41/4ya/32249xrB/MYw2zdsfd5e+R+u/v8ctvy1/p77YZ7+G8cX+AbT+x8O+panr/uBf/XWYmf55j5kyEvatI5Dm9wAh7v8W97d+TwB1H336W3y6dUy/NE/w12/9m//WWyf45Tf/zX/z34ae3+LBb/5bV08xtt+6OsWLz/D7gzT9Nf65X6P6HB98Gx/85gTkjH75LR78Lunvkmqjre/gx6fV70U//oPfVI3Ib6OW4zf/zavn6JU57bf8tRhpz6azvJA79ev9Zr/mb/5b/tq/DfEOM85v23yBL3+z3/w3q15gfL/0S/r3d9n76eYl/fxLfq36X8e8k2f16/2Wv4VA/q1+898aHsPvSr/D+uHnb/WbH1Q/Acx
Source: 16.2.RedLine.exe.580000.0.unpack, Class1.cs Base64 encoded string: 'H4sIAAAAAAAEAO29B2AcSZYlJi9tynt/SvVK1+B0oQiAYBMk2JBAEOzBiM3mkuwdaUcjKasqgcplVmVdZhZAzO2dvPfee++999577733ujudTif33/8/XGZkAWz2zkrayZ4hgKrIHz9+fB8/Ir74qT/p1/i1f41f49f4dej///f//Wv8Gn/XryHP76k/Nz1/EP3/N/ld/p7f5Nf4237sn/9d/65f8/k//7u+mRdNuqqrizpbpNNsuazadJKn9XqZFsv06Zev00U1y8e/8W+c/G4K4+Xpr/FrPP81f+1f42/4vd5lBu5/9Gv8Wr/mb/hr/ga/xq9R0x+/kXy2/JPon9S0+D3l919L8MZjftLL/PmvwT9+zz/81/g1fjP+n/tpf/DzW/1Jv8av8V388hfR/xPvC/P8QxaF93vSX+PX+A28P38D+vvb3t/jNn/X0s92JW15rIq3eejjP2BcN/UUfwC3v0h/4kXv+T3pf+M6L6up4voP/RoC65f22j0JPyH6/0ny89u/Bl75dX+N3+z3IVo++DWYJ367X+PX+PW67W96fsGvtfVrEpLfop+/Dn7+FQ2BSP4g+uzXaX59/IY5a34D/PZr47cfw2/U8tf51q/xa/yWO7/mr/EbEgxq/Jv/UrxRJQBhP/+18Dner37D4PNfG58DWvUbBZ//OvgcsKvfWD//tX4N+o1G+Wv85r/Wr731m9OHW78FfyN9E34Y8G/+a239lgEc+vw3/5fopV9r67eyn6Ptb8Btf2v72W9Gn/0YPvvjqPHvuP3rgRKffOvX+hb6Nd/92r/Fr/F//db4+tf7g/Ev6PTbAgDe/51+DZ7e3/yX/o7084/79QEj2aLxfvIH4QP+1Gv/a/0aL39Nobl89Gulvyah98f/dkS/X0Kj+HV+rd/ql/z6+PHb/JLfAD8aTMcv+TH8WtN7q1/yG+LXrd+ZPm1+Ab76jbjV74Jff2N5/TdxjX9T9+tvJl/+5vLjt8CP3/aX/Jb8/a+N738r/nUbv/7W/Otn+PW34V+/ol+3UnTx23b+/u06f//2nb9/B/779weo35F//Yvx6+/Ev/6f+PV35l9/01+Tfv0F/OvviF9/F/71Y/p163cFmLQD9nft/P0R/c1zAT4hCv3mDY3z10t+vYrw+fXAJ7/jzq/LKuY3wjzX2wSYqVL9Qvqef/tttn4cfPW74Z/fnf4Z/cJf69eShr/tH0eI/Zrccov+SX7LX+e3+HUqavfrMcl+m+TX+sX4Wd+jpr/1b7P1MVr8er/Nb/nrfnL4m/96v/mv++f8hr++gt+iL36b8e/EiP1Gv95vcy/5DX7bX78i8vx6n/wGv8FvI7/9er/tv5H85r/ub/tv/Ja/7m/+6/7mv96f8Hfu/f3/wW//u2/doRd/Y0Gl2gISNJ7kP/jt5ZNf69f6GfReEcq/3m9b3aN/f+G3fk1WJl/+Gr/fX/9r/PZE6V/zd9z5dX6Nn6FPiDa/+a9TP3B4Jr/eb/PnVJ8Ar//r16T//Xq/rf/X7z+692vR98JC9JUw0K8tLPO7/1+/Pk3cr9eMqPlv2xDTJL/hr1+NGS9B+DfqIfxrKF6/xq8xmRi8fsNf4w8jqL8J5uQ3/TUrmslf79f6xZh6g99v9RsSBr/lx7/5x/Xhr2lpeO83Utk4+I8xmx/Xx9537a/FfwqYX+vX+sVg95/52FBo6y41qnZBpX//L6OXLa7+O/yH4w6Z863fYqsLgYf1739fcPjc4fB7/je/Jibjz/kt7/zmd+qf8HD7LX+tX++3+3N+vd/+z9F5OvgIr96pv/KafBU2+bXq38citrVDLQgs//Q+wtx42O6CgYGyIHnw9/+G3Mlbr5PfBJ3wzBz8hfJt5WH/x9FHhIFwwu5Hv1bdxIRlj74d/br//u9PjVVMYhSDlPzGP8agfpfk//p1fsyw1+8/+o0N43ITwieQn09+m9/yW588+80/+c2/9ef8lr8O8awvQXd+7DcXYePRS69ErOQ3ZsmC6Pw2v/mvw+L0m3+LROlbv/m3fvNPSJT+lh+jTviV39iN7jeW0TEt/oNdlajf4tf2pek/+B2ESX7LX6/P0Qd/QMKTf+WR748nhDAlvw1rdKZHS8z6O/6GoLkhxK//J/ydTIWzX+t3/ONJ7fyav+XoNx/9NvUfTGD+kt989NvK5NJvvx3BoR+/vf3gd/htt/YJBP22dd9N8b/zY/TDQt/9ko3Bb/kbkOjIiwRF+eVTvIRmv+WP/ea/wa/9m//Yr/0n/J2/+Y/9O9UDsNFv/htUB/iaAP96vyFG8Ov/9sqE74njbxPB8df69es/EsTbBvF+cyDw6wdgr24G+2v95r/+b1X/saD0H0/28df8rX6r32rroeF1K54dyvxDvwHPz5/8czs/j36D2Pz8hhvn5zf6zX/DX/s3/40wP7+RmZ/f8Ic6P0kA9k++Geyv9Zsn7z0/6a/P8/Nne/Pz6Ncamh+V2g+an9jYD/6cX89pPJqfH8j8/Ca/kwNNU3UDYJpf+vE72g8EPk/lb/qb/ya/9m/+m2Iqf1Mzlb/JD3Uqf+Pf/Df+req/mD77bXlmfsvt33z7t/m1fvFvyjC2aZoeUSM0+cu7TX6zXpO/OmzCo/a//5v9+f9ttw7p41/4ya/32249xrB/MYw2zdsfd5e+R+u/v8ctvy1/p77YZ7+G8cX+AbT+x8O+panr/uBf/XWYmf55j5kyEvatI5Dm9wAh7v8W97d+TwB1H336W3y6dUy/NE/w12/9m//WWyf45Tf/zX/z34ae3+LBb/5bV08xtt+6OsWLz/D7gzT9Nf65X6P6HB98Gx/85gTkjH75LR78Lunvkmqjre/gx6fV70U//oPfVI3Ib6OW4zf/zavn6JU57bf8tRhpz6azvJA79ev9Zr/mb/5b/tq/DfEOM85v23yBL3+z3/w3q15gfL/0S/r3d9n76eYl/fxLfq36X8e8k2f16/2Wv4VA/q1+898aHsPvSr/D+uHnb/WbH1Q/Acx
Source: 16.0.RedLine.exe.580000.0.unpack, Class1.cs Base64 encoded string: 'H4sIAAAAAAAEAO29B2AcSZYlJi9tynt/SvVK1+B0oQiAYBMk2JBAEOzBiM3mkuwdaUcjKasqgcplVmVdZhZAzO2dvPfee++999577733ujudTif33/8/XGZkAWz2zkrayZ4hgKrIHz9+fB8/Ir74qT/p1/i1f41f49f4dej///f//Wv8Gn/XryHP76k/Nz1/EP3/N/ld/p7f5Nf4237sn/9d/65f8/k//7u+mRdNuqqrizpbpNNsuazadJKn9XqZFsv06Zev00U1y8e/8W+c/G4K4+Xpr/FrPP81f+1f42/4vd5lBu5/9Gv8Wr/mb/hr/ga/xq9R0x+/kXy2/JPon9S0+D3l919L8MZjftLL/PmvwT9+zz/81/g1fjP+n/tpf/DzW/1Jv8av8V388hfR/xPvC/P8QxaF93vSX+PX+A28P38D+vvb3t/jNn/X0s92JW15rIq3eejjP2BcN/UUfwC3v0h/4kXv+T3pf+M6L6up4voP/RoC65f22j0JPyH6/0ny89u/Bl75dX+N3+z3IVo++DWYJ367X+PX+PW67W96fsGvtfVrEpLfop+/Dn7+FQ2BSP4g+uzXaX59/IY5a34D/PZr47cfw2/U8tf51q/xa/yWO7/mr/EbEgxq/Jv/UrxRJQBhP/+18Dner37D4PNfG58DWvUbBZ//OvgcsKvfWD//tX4N+o1G+Wv85r/Wr731m9OHW78FfyN9E34Y8G/+a239lgEc+vw3/5fopV9r67eyn6Ptb8Btf2v72W9Gn/0YPvvjqPHvuP3rgRKffOvX+hb6Nd/92r/Fr/F//db4+tf7g/Ev6PTbAgDe/51+DZ7e3/yX/o7084/79QEj2aLxfvIH4QP+1Gv/a/0aL39Nobl89Gulvyah98f/dkS/X0Kj+HV+rd/ql/z6+PHb/JLfAD8aTMcv+TH8WtN7q1/yG+LXrd+ZPm1+Ab76jbjV74Jff2N5/TdxjX9T9+tvJl/+5vLjt8CP3/aX/Jb8/a+N738r/nUbv/7W/Otn+PW34V+/ol+3UnTx23b+/u06f//2nb9/B/779weo35F//Yvx6+/Ev/6f+PV35l9/01+Tfv0F/OvviF9/F/71Y/p163cFmLQD9nft/P0R/c1zAT4hCv3mDY3z10t+vYrw+fXAJ7/jzq/LKuY3wjzX2wSYqVL9Qvqef/tttn4cfPW74Z/fnf4Z/cJf69eShr/tH0eI/Zrccov+SX7LX+e3+HUqavfrMcl+m+TX+sX4Wd+jpr/1b7P1MVr8er/Nb/nrfnL4m/96v/mv++f8hr++gt+iL36b8e/EiP1Gv95vcy/5DX7bX78i8vx6n/wGv8FvI7/9er/tv5H85r/ub/tv/Ja/7m/+6/7mv96f8Hfu/f3/wW//u2/doRd/Y0Gl2gISNJ7kP/jt5ZNf69f6GfReEcq/3m9b3aN/f+G3fk1WJl/+Gr/fX/9r/PZE6V/zd9z5dX6Nn6FPiDa/+a9TP3B4Jr/eb/PnVJ8Ar//r16T//Xq/rf/X7z+692vR98JC9JUw0K8tLPO7/1+/Pk3cr9eMqPlv2xDTJL/hr1+NGS9B+DfqIfxrKF6/xq8xmRi8fsNf4w8jqL8J5uQ3/TUrmslf79f6xZh6g99v9RsSBr/lx7/5x/Xhr2lpeO83Utk4+I8xmx/Xx9537a/FfwqYX+vX+sVg95/52FBo6y41qnZBpX//L6OXLa7+O/yH4w6Z863fYqsLgYf1739fcPjc4fB7/je/Jibjz/kt7/zmd+qf8HD7LX+tX++3+3N+vd/+z9F5OvgIr96pv/KafBU2+bXq38citrVDLQgs//Q+wtx42O6CgYGyIHnw9/+G3Mlbr5PfBJ3wzBz8hfJt5WH/x9FHhIFwwu5Hv1bdxIRlj74d/br//u9PjVVMYhSDlPzGP8agfpfk//p1fsyw1+8/+o0N43ITwieQn09+m9/yW588+80/+c2/9ef8lr8O8awvQXd+7DcXYePRS69ErOQ3ZsmC6Pw2v/mvw+L0m3+LROlbv/m3fvNPSJT+lh+jTviV39iN7jeW0TEt/oNdlajf4tf2pek/+B2ESX7LX6/P0Qd/QMKTf+WR748nhDAlvw1rdKZHS8z6O/6GoLkhxK//J/ydTIWzX+t3/ONJ7fyav+XoNx/9NvUfTGD+kt989NvK5NJvvx3BoR+/vf3gd/htt/YJBP22dd9N8b/zY/TDQt/9ko3Bb/kbkOjIiwRF+eVTvIRmv+WP/ea/wa/9m//Yr/0n/J2/+Y/9O9UDsNFv/htUB/iaAP96vyFG8Ov/9sqE74njbxPB8df69es/EsTbBvF+cyDw6wdgr24G+2v95r/+b1X/saD0H0/28df8rX6r32rroeF1K54dyvxDvwHPz5/8czs/j36D2Pz8hhvn5zf6zX/DX/s3/40wP7+RmZ/f8Ic6P0kA9k++Geyv9Zsn7z0/6a/P8/Nne/Pz6Ncamh+V2g+an9jYD/6cX89pPJqfH8j8/Ca/kwNNU3UDYJpf+vE72g8EPk/lb/qb/ya/9m/+m2Iqf1Mzlb/JD3Uqf+Pf/Df+req/mD77bXlmfsvt33z7t/m1fvFvyjC2aZoeUSM0+cu7TX6zXpO/OmzCo/a//5v9+f9ttw7p41/4ya/32249xrB/MYw2zdsfd5e+R+u/v8ctvy1/p77YZ7+G8cX+AbT+x8O+panr/uBf/XWYmf55j5kyEvatI5Dm9wAh7v8W97d+TwB1H336W3y6dUy/NE/w12/9m//WWyf45Tf/zX/z34ae3+LBb/5bV08xtt+6OsWLz/D7gzT9Nf65X6P6HB98Gx/85gTkjH75LR78Lunvkmqjre/gx6fV70U//oPfVI3Ib6OW4zf/zavn6JU57bf8tRhpz6azvJA79ev9Zr/mb/5b/tq/DfEOM85v23yBL3+z3/w3q15gfL/0S/r3d9n76eYl/fxLfq36X8e8k2f16/2Wv4VA/q1+898aHsPvSr/D+uHnb/WbH1Q/Acx
Source: WindowsUpdate.exe.17.dr, Form1.cs Base64 encoded string: 'Ty3Lk8RnQfYL8aK1VgHq22paeblr7aqlRzHxRfjEXdlNccbW8zqh6kQeot5YJx3a', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 17.0.Windows Update.exe.d40000.8.unpack, Form1.cs Base64 encoded string: 'Ty3Lk8RnQfYL8aK1VgHq22paeblr7aqlRzHxRfjEXdlNccbW8zqh6kQeot5YJx3a', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 17.2.Windows Update.exe.d40000.0.unpack, Form1.cs Base64 encoded string: 'Ty3Lk8RnQfYL8aK1VgHq22paeblr7aqlRzHxRfjEXdlNccbW8zqh6kQeot5YJx3a', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 17.0.Windows Update.exe.d40000.0.unpack, Form1.cs Base64 encoded string: 'Ty3Lk8RnQfYL8aK1VgHq22paeblr7aqlRzHxRfjEXdlNccbW8zqh6kQeot5YJx3a', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 17.0.Windows Update.exe.d40000.12.unpack, Form1.cs Base64 encoded string: 'Ty3Lk8RnQfYL8aK1VgHq22paeblr7aqlRzHxRfjEXdlNccbW8zqh6kQeot5YJx3a', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5308:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_01
Source: C:\Users\user\AppData\Roaming\RedLine.exe Mutant created: \Sessions\1\BaseNamedObjects\61bc7bd88d10e97264127fe545415b17SGFjS2Vk
Source: Keylogger.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Keylogger.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Keylogger.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Keylogger.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: Windows Update.exe.2.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Windows Update.exe.2.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Windows Update.exe.2.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Windows Update.exe.2.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Hpdyv8oO3j.exe Static file information: File size 1634464 > 1048576
Source: Hpdyv8oO3j.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x174c00
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.405064148.000000000838A000.00000004.00000010.sdmp
Source: Binary string: .pdb8 source: Windows Update.exe, 00000011.00000002.405064148.000000000838A000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdbH4s source: Windows Update.exe, 00000011.00000002.405064148.000000000838A000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp
Source: Binary string: symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.405064148.000000000838A000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Roaming\Windows Update.PDBE source: Windows Update.exe, 00000011.00000002.404185049.0000000006DF4000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.404011011.0000000006D70000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Keylogger.exe, Windows Update.exe
Source: Binary string: C:\Windows\mscorlib.pdbn source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.404185049.0000000006DF4000.00000004.00000001.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Keylogger.exe, Windows Update.exe, vbc.exe, 00000019.00000002.567099655.0000000000400000.00000040.00000001.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.405064148.000000000838A000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbC source: Windows Update.exe, 00000011.00000002.404126730.0000000006DD4000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Keylogger.exe, Windows Update.exe, vbc.exe
Source: Binary string: mscorlib.pdbndows Update.exe source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb86 source: Windows Update.exe, 00000011.00000002.405064148.000000000838A000.00000004.00000010.sdmp
Source: Binary string: oC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.405064148.000000000838A000.00000004.00000010.sdmp
Source: Binary string: rlib.pdb source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000011.00000002.397838625.0000000002F57000.00000004.00000040.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Keylogger.exe.0.dr, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Keylogger.exe.0.dr, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Keylogger.exe.0.dr, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Keylogger.exe.0.dr, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.2.dr, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.2.dr, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.2.dr, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.2.dr, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Keylogger.exe.760000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Keylogger.exe.760000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Keylogger.exe.760000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Keylogger.exe.760000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Keylogger.exe.760000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Keylogger.exe.760000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Keylogger.exe.760000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Keylogger.exe.760000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.17.dr, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.17.dr, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.17.dr, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.17.dr, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.Windows Update.exe.d40000.8.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.Windows Update.exe.d40000.8.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.Windows Update.exe.d40000.8.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.Windows Update.exe.d40000.8.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.2.Windows Update.exe.d40000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.2.Windows Update.exe.d40000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.2.Windows Update.exe.d40000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.2.Windows Update.exe.d40000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.Windows Update.exe.d40000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.Windows Update.exe.d40000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.Windows Update.exe.d40000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.Windows Update.exe.d40000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.Windows Update.exe.d40000.12.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.Windows Update.exe.d40000.12.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.Windows Update.exe.d40000.12.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.Windows Update.exe.d40000.12.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_007D0712 push eax; ret 2_2_007D0726
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_007D0712 push eax; ret 2_2_007D074E
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_007ABA9D push eax; ret 2_2_007ABAB1
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_007ABA9D push eax; ret 2_2_007ABAD9
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_00C63061 push eax; ret 2_2_00C63062
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_00C63030 push ecx; ret 2_2_00C63032
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_00C6303C push ecx; ret 2_2_00C6303E
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_00C62941 push edi; ret 2_2_00C62942
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_00C6294D push edi; ret 2_2_00C6294E
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_00C62924 push edi; ret 2_2_00C62936
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_00C62B5C push eax; ret 2_2_00C62B5E
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_00C62CC5 push edi; ret 2_2_00C62CC6
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_02770000 push edx; ret 2_2_02770053
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_027705CF push ebx; iretd 2_2_027705D3
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_00402448 push 0040112Eh; ret 8_2_0040245B
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_0040245C push 0040112Eh; ret 8_2_0040246F
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_00402470 push 0040112Eh; ret 8_2_00402483
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_0040240C push 0040112Eh; ret 8_2_0040241F
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_00402420 push 0040112Eh; ret 8_2_00402433
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_00402434 push 0040112Eh; ret 8_2_00402447
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_00402484 push 0040112Eh; ret 8_2_00402497
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_00402498 push 0040112Eh; ret 8_2_004024AB
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_004024AC push 0040112Eh; ret 8_2_004024BF
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_00402344 push 0040112Eh; ret 8_2_00402357
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_00402358 push 0040112Eh; ret 8_2_0040236B
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_0040236C push 0040112Eh; ret 8_2_0040237F
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_00402308 push 0040112Eh; ret 8_2_0040231B
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_0040231C push 0040112Eh; ret 8_2_0040232F
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_00402330 push 0040112Eh; ret 8_2_00402343
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_004023D0 push 0040112Eh; ret 8_2_004023E3
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Code function: 8_2_004023E4 push 0040112Eh; ret 8_2_004023F7
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Code function: 0_2_004011CF LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleFileNameA,GetEnvironmentVariableA, 0_2_004011CF
PE file contains an invalid checksum
Source: hhzclipper.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x9649
Source: WindowsUpdate.exe.17.dr Static PE information: real checksum: 0x0 should be: 0x88c7e
Source: Windows Update.exe.2.dr Static PE information: real checksum: 0x0 should be: 0x88c7e
Source: Keylogger.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x88c7e
Source: RedLine.MainPanel-cracked.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x1dd75
Source: 61bc7bd88d10e97264127fe545415b17.exe.16.dr Static PE information: real checksum: 0x0 should be: 0x1dd75
Source: ViRuS.exe.0.dr Static PE information: real checksum: 0x17efc should be: 0xbc9c
Source: RedLine.exe.4.dr Static PE information: real checksum: 0x0 should be: 0x1dd75
Source: user32dll.exe.8.dr Static PE information: real checksum: 0x17efc should be: 0xbc9c
Source: Hpdyv8oO3j.exe Static PE information: real checksum: 0x0 should be: 0x1919e0

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process created: attrib.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process created: attrib.exe Jump to behavior
Drops executables to the windows directory (C:\Windows) and starts them
Source: unknown Executable created and started: C:\Windows\SysWOW64\user32dll.exe
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe File created: C:\Users\user\AppData\Roaming\RedLine.exe Jump to dropped file
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe File created: C:\Users\user\AppData\Local\Temp\ViRuS.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe File created: C:\Windows\SysWOW64\user32dll.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe File created: C:\Users\user\AppData\Roaming\Windows Update.exe Jump to dropped file
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe File created: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Jump to dropped file
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe File created: C:\Users\user\AppData\Local\Temp\Keylogger.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RedLine.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\61bc7bd88d10e97264127fe545415b17.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe File created: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe File created: C:\Windows\SysWOW64\user32dll.exe Jump to dropped file

Boot Survival:

barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update
Source: C:\Users\user\AppData\Roaming\RedLine.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 61bc7bd88d10e97264127fe545415b17
Drops PE files to the startup folder
Source: C:\Users\user\AppData\Roaming\RedLine.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\61bc7bd88d10e97264127fe545415b17.exe Jump to dropped file
Creates autostart registry keys with suspicious names
Source: C:\Users\user\AppData\Roaming\RedLine.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 61bc7bd88d10e97264127fe545415b17
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk Jump to behavior
Source: C:\Users\user\AppData\Roaming\RedLine.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\61bc7bd88d10e97264127fe545415b17.exe
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk Jump to behavior
Source: C:\Users\user\AppData\Roaming\RedLine.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 61bc7bd88d10e97264127fe545415b17
Source: C:\Users\user\AppData\Roaming\RedLine.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 61bc7bd88d10e97264127fe545415b17
Source: C:\Users\user\AppData\Roaming\RedLine.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 61bc7bd88d10e97264127fe545415b17
Source: C:\Users\user\AppData\Roaming\RedLine.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 61bc7bd88d10e97264127fe545415b17
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\AppData\Roaming\RedLine.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 28_2_00441975
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\user32dll.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\user32dll.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\user32dll.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\user32dll.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe TID: 1312 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe TID: 1308 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe TID: 1316 Thread sleep count: 63 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe TID: 1316 Thread sleep count: 63 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe TID: 7028 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe TID: 5456 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 712 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2988 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 4972 Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6088 Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6272 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6272 Thread sleep time: -2100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6272 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 1472 Thread sleep time: -180000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\hhzclipper.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\RedLine.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 28_2_00408836
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 180000
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\RedLine.exe Window / User API: threadDelayed 4869
Source: C:\Users\user\AppData\Roaming\RedLine.exe Window / User API: threadDelayed 709
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Code function: 0_2_004012D9 rdtsc 0_2_004012D9
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_02770000 sldt word ptr [eax] 2_2_02770000
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Contains functionality to query network adapater information
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: GetAdaptersInfo, 17_2_05622F7E
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: GetAdaptersInfo, 17_2_05622F56
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 120000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 140000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 180000
Source: RedLine.exe, 00000010.00000002.568143056.0000000000AFD000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: RedLine.MainPanel-cracked.exe, 00000004.00000002.343858216.00000000009DE000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy9
Source: Keylogger.exe, 00000002.00000002.346733504.0000000000E49000.00000004.00000020.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Keylogger.exe, 00000002.00000002.346733504.0000000000E49000.00000004.00000020.sdmp, netsh.exe, 00000016.00000003.392033076.000001A36A565000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process information queried: ProcessInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_004161B0 memset,GetSystemInfo, 28_2_004161B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 28_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 28_2_00407E0E

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 28_2_00408836
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Code function: 0_2_004011CF LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleFileNameA,GetEnvironmentVariableA, 0_2_004011CF
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Code function: 0_2_0040119D mov eax, dword ptr fs:[00000030h] 0_2_0040119D
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Code function: 0_2_004011AF mov eax, dword ptr fs:[00000030h] 0_2_004011AF
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Code function: 0_2_00401AE1 GetCommandLineA,GetModuleHandleA,GetProcessHeap,ExitProcess, 0_2_00401AE1
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Code function: 0_2_004012D9 rdtsc 0_2_004012D9
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process token adjusted: Debug
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_02F77B38 LdrInitializeThunk, 17_2_02F77B38
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: FFFFFFFF
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
.NET source code references suspicious native API functions
Source: Keylogger.exe.0.dr, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: Keylogger.exe.0.dr, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: Windows Update.exe.2.dr, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: Windows Update.exe.2.dr, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 2.0.Keylogger.exe.760000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.0.Keylogger.exe.760000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 2.2.Keylogger.exe.760000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.2.Keylogger.exe.760000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: WindowsUpdate.exe.17.dr, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: WindowsUpdate.exe.17.dr, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 17.0.Windows Update.exe.d40000.8.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 17.0.Windows Update.exe.d40000.8.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 17.2.Windows Update.exe.d40000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 17.2.Windows Update.exe.d40000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 17.0.Windows Update.exe.d40000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 17.0.Windows Update.exe.d40000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 17.0.Windows Update.exe.d40000.12.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 17.0.Windows Update.exe.d40000.12.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Users\user\AppData\Local\Temp\Keylogger.exe "C:\Users\user\AppData\Local\Temp\Keylogger.exe" Jump to behavior
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Users\user\AppData\Local\Temp\hhzclipper.exe "C:\Users\user\AppData\Local\Temp\hhzclipper.exe" Jump to behavior
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe "C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe" Jump to behavior
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe "C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe" Jump to behavior
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HOST.bat" " Jump to behavior
Source: C:\Users\user\Desktop\Hpdyv8oO3j.exe Process created: C:\Users\user\AppData\Local\Temp\ViRuS.exe "C:\Users\user\AppData\Local\Temp\ViRuS.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe Process created: C:\Users\user\AppData\Roaming\RedLine.exe "C:\Users\user\AppData\Roaming\RedLine.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\system32\user32dll.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2528
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im "ViRuS.exe" Jump to behavior
Source: C:\Windows\SysWOW64\user32dll.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im "user32dll.exe"
Source: hhzclipper.exe, 00000003.00000002.568063483.0000000000D70000.00000002.00020000.sdmp, RedLine.exe, 00000010.00000002.570514509.0000000002AEA000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: hhzclipper.exe, 00000003.00000002.568063483.0000000000D70000.00000002.00020000.sdmp, ViRuS.exe, RedLine.exe, 00000010.00000002.568694026.0000000001130000.00000002.00020000.sdmp, user32dll.exe, 00000013.00000000.354827611.0000000000401000.00000020.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RedLine.exe, 00000010.00000002.568091160.0000000000AE0000.00000004.00000020.sdmp Binary or memory string: Program ManageressMgmt
Source: hhzclipper.exe, 00000003.00000002.568063483.0000000000D70000.00000002.00020000.sdmp, RedLine.exe, 00000010.00000002.568694026.0000000001130000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RedLine.exe, 00000010.00000002.568091160.0000000000AE0000.00000004.00000020.sdmp Binary or memory string: Program Managerssions5H
Source: hhzclipper.exe, 00000003.00000002.568063483.0000000000D70000.00000002.00020000.sdmp, RedLine.exe, 00000010.00000002.568694026.0000000001130000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ViRuS.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy, 28_2_0041604B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 28_2_00407674 GetVersionExW, 28_2_00407674

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\RedLine.exe" "RedLine.exe" ENABLE
Modifies the windows firewall
Source: C:\Users\user\AppData\Roaming\RedLine.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\RedLine.exe" "RedLine.exe" ENABLE
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
AV process strings found (often used to terminate AV products)
Source: ViRuS.exe, 00000008.00000002.329695715.00000000007B3000.00000004.00000020.sdmp Binary or memory string: C:\Users\user\AppData\Local\Temp\ViRuS.exe
Source: ViRuS.exe, 00000008.00000003.327041471.00000000007D2000.00000004.00000001.sdmp Binary or memory string: sers\user\AppData\Local\Temp\ViRuS.exe
Source: Hpdyv8oO3j.exe, ViRuS.exe, 00000008.00000003.327041471.00000000007D2000.00000004.00000001.sdmp Binary or memory string: ViRuS.exe
Source: ViRuS.exe, 00000008.00000002.329851075.0000000002780000.00000004.00000001.sdmp Binary or memory string: \user\AppData\Local\Temp\ViRuS.exe
Source: Windows Update.exe, 00000011.00000002.404011011.0000000006D70000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: ViRuS.exe, 00000008.00000003.327041471.00000000007D2000.00000004.00000001.sdmp Binary or memory string: \??\C:\Users\user\AppData\Local\Temp\ViRuS.exe
Source: Hpdyv8oO3j.exe, 00000000.00000002.321723286.0000000000199000.00000004.00000001.sdmp Binary or memory string: C:\Users\user\AppData\Local\Temp\ViRuS.exeppData\Local\Temp\ViRuS.exe

Stealing of Sensitive Information:

barindex
Yara detected MailPassView
Source: Yara match File source: 17.3.Windows Update.exe.6e1b39a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.7bfa72.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.768208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.Keylogger.exe.eb4e92.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.768208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.Windows Update.exe.6e1b39a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.Keylogger.exe.eb4e92.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.43d7e00.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.7bfa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d49c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.7bfa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d9fa72.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d9fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.43d7e00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.567099655.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.461183087.0000000000B02000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.442088450.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.452870911.0000000000B02000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.517639660.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.438271647.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.345013885.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.439141750.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.395985311.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.344577031.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.418565410.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.370310625.0000000006DFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.439708948.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.437787976.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.445241123.00000000013F3000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.401457902.00000000043D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.314643771.0000000000762000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.339296284.0000000000E97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.525622624.00000000046C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.343560898.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Keylogger.exe PID: 4492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5624, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6444, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Keylogger.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Yara detected HawkEye Keylogger
Source: Yara match File source: 2.2.Keylogger.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.768208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.768208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.Windows Update.exe.6e1b39a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.Keylogger.exe.eb4e92.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.7bfa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d49c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d9fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.33faa98.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.401046205.000000000384C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.461183087.0000000000B02000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.442088450.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.452870911.0000000000B02000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.401022146.0000000003844000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.517639660.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.398362779.00000000033D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.438271647.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.345013885.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.439141750.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.395985311.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.344577031.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.418565410.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.370310625.0000000006DFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.439708948.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.437787976.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.445241123.00000000013F3000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.314643771.0000000000762000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.339296284.0000000000E97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.521512355.00000000036C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.343560898.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Keylogger.exe PID: 4492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5624, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Keylogger.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Yara detected Njrat
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2886bc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ae6bc0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2a99190.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2a99190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2aa6b58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2886cd8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ae6cd8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2aa6a40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002A.00000002.490818765.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.460848822.0000000002831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.569953826.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.344202284.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.490487625.0000000002AD0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.460388443.00000000008F0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.339955429.0000000002861000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.339619983.00000000024B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.421069475.0000000002C51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.420830260.0000000002620000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.569803952.0000000002700000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RedLine.MainPanel-cracked.exe PID: 4140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RedLine.MainPanel-cracked.exe PID: 7032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RedLine.exe PID: 4236, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 28.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.768208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.769c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.768208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d49c0d.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.4592050.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d49c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.769c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.4592050.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000000.394707935.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.461183087.0000000000B02000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.442088450.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.452870911.0000000000B02000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.517639660.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.438271647.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.345013885.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.439141750.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.395296595.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.395985311.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.344577031.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.418565410.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.370310625.0000000006DFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.439708948.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.437787976.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.412155949.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.314643771.0000000000762000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.402244108.0000000004591000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.339296284.0000000000E97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.525622624.00000000046C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.393916948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.343560898.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Keylogger.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED

Remote Access Functionality:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 2.2.Keylogger.exe.7bfa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.768208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.768208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.Windows Update.exe.6e1b39a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.Keylogger.exe.eb4e92.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.7bfa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d49c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.d9fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d48208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d9fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d49c0d.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Keylogger.exe.769c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.Windows Update.exe.d40000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Keylogger.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.33faa98.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.401046205.000000000384C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.461183087.0000000000B02000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.442088450.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.452870911.0000000000B02000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.401022146.0000000003844000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.517639660.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.398362779.00000000033D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.438271647.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.345013885.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.439141750.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.395985311.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.344577031.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.418565410.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.370310625.0000000006DFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.439708948.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.437787976.0000000000D72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.445241123.00000000013F3000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.314643771.0000000000762000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.339296284.0000000000E97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.521512355.00000000036C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.343560898.0000000000D42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Keylogger.exe PID: 4492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5624, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Keylogger.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Yara detected Njrat
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2886bc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ae6bc0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2a99190.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2a99190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2aa6b58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.24b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2886cd8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RedLine.MainPanel-cracked.exe.2879310.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2630000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RedLine.MainPanel-cracked.exe.2ae6cd8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2aa6a40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RedLine.exe.2700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002A.00000002.490818765.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.460848822.0000000002831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.569953826.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.344202284.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.490487625.0000000002AD0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.460388443.00000000008F0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.339955429.0000000002861000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.339619983.00000000024B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.421069475.0000000002C51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.420830260.0000000002620000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.569803952.0000000002700000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RedLine.MainPanel-cracked.exe PID: 4140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RedLine.MainPanel-cracked.exe PID: 7032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RedLine.exe PID: 4236, type: MEMORYSTR
Detected HawkEye Rat
Source: Keylogger.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: Keylogger.exe String found in binary or memory: HawkEyeKeylogger
Source: Keylogger.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: Keylogger.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: Keylogger.exe, 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Keylogger.exe, 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Keylogger.exe, 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Keylogger.exe, 00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: Windows Update.exe String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: Windows Update.exe, 00000011.00000002.398362779.00000000033D1000.00000004.00000001.sdmp String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: Windows Update.exe, 00000011.00000002.398362779.00000000033D1000.00000004.00000001.sdmp String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
Source: Windows Update.exe, 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe, 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe, 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Windows Update.exe, 00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_05040A8E listen, 2_2_05040A8E
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_05040E9E bind, 2_2_05040E9E
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_05040A50 CreateMutexW,listen, 2_2_05040A50
Source: C:\Users\user\AppData\Local\Temp\Keylogger.exe Code function: 2_2_05040E6B bind, 2_2_05040E6B
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_05620A8E listen, 17_2_05620A8E
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_05620E9E bind, 17_2_05620E9E
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_05620E6B bind, 17_2_05620E6B
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_05620A50 CreateMutexW,listen, 17_2_05620A50
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 524274 Sample: Hpdyv8oO3j.exe Startdate: 18/11/2021 Architecture: WINDOWS Score: 100 86 173.194.79.108, 49805, 49808, 587 GOOGLEUS United States 2->86 88 104.16.154.36, 49792, 80 CLOUDFLARENETUS United States 2->88 90 4 other IPs or domains 2->90 110 Malicious sample detected (through community Yara rule) 2->110 112 Antivirus detection for dropped file 2->112 114 Antivirus / Scanner detection for submitted sample 2->114 116 15 other signatures 2->116 10 Hpdyv8oO3j.exe 13 2->10         started        14 user32dll.exe 2->14         started        signatures3 process4 file5 74 C:\Users\user\AppData\...\hhzclipper.exe, PE32 10->74 dropped 76 C:\Users\user\AppData\Local\Temp\ViRuS.exe, PE32 10->76 dropped 78 C:\Users\...\RedLine.MainPanel-cracked.exe, PE32 10->78 dropped 80 C:\Users\user\AppData\Local\...\Keylogger.exe, PE32 10->80 dropped 118 Creates files with lurking names (e.g. Crack.exe) 10->118 16 RedLine.MainPanel-cracked.exe 3 4 10->16         started        20 Keylogger.exe 8 10->20         started        22 ViRuS.exe 1 4 10->22         started        26 3 other processes 10->26 120 Antivirus detection for dropped file 14->120 122 Multi AV Scanner detection for dropped file 14->122 124 Machine Learning detection for dropped file 14->124 24 taskkill.exe 14->24         started        signatures6 process7 file8 64 C:\Users\user\AppData\Roaming\RedLine.exe, PE32 16->64 dropped 100 Antivirus detection for dropped file 16->100 102 Multi AV Scanner detection for dropped file 16->102 104 Machine Learning detection for dropped file 16->104 28 RedLine.exe 16->28         started        66 C:\Users\user\AppData\...\Windows Update.exe, PE32 20->66 dropped 68 C:\Users\user\AppData\...\Keylogger.exe.log, ASCII 20->68 dropped 33 Windows Update.exe 20->33         started        70 C:\Windows\SysWOW64\user32dll.exe, PE32 22->70 dropped 106 Uses cmd line tools excessively to alter registry or file data 22->106 35 attrib.exe 22->35         started        37 attrib.exe 22->37         started        39 taskkill.exe 22->39         started        41 conhost.exe 24->41         started        72 C:\...\RedLine.MainPanel-cracked.exe.log, ASCII 26->72 dropped 108 Creates files with lurking names (e.g. Crack.exe) 26->108 43 conhost.exe 26->43         started        signatures9 process10 dnsIp11 92 82.202.167.226, 6542 THEFIRST-ASRU Russian Federation 28->92 82 C:\...\61bc7bd88d10e97264127fe545415b17.exe, PE32 28->82 dropped 126 Antivirus detection for dropped file 28->126 128 Multi AV Scanner detection for dropped file 28->128 130 Machine Learning detection for dropped file 28->130 138 5 other signatures 28->138 45 netsh.exe 28->45         started        94 smtp.gmail.com 173.194.79.109, 49753, 587 GOOGLEUS United States 33->94 96 whatismyipaddress.com 104.16.155.36, 49752, 80 CLOUDFLARENETUS United States 33->96 98 2 other IPs or domains 33->98 84 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 33->84 dropped 132 Creates multiple autostart registry keys 33->132 134 Writes to foreign memory regions 33->134 136 Allocates memory in foreign processes 33->136 140 3 other signatures 33->140 47 vbc.exe 33->47         started        50 dw20.exe 33->50         started        52 vbc.exe 33->52         started        54 vbc.exe 33->54         started        56 conhost.exe 35->56         started        58 conhost.exe 37->58         started        60 conhost.exe 39->60         started        file12 signatures13 process14 signatures15 62 conhost.exe 45->62         started        142 Tries to harvest and steal browser information (history, passwords, etc) 47->142 process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.154.36
 unknown United States
13335 CLOUDFLARENETUS false
173.194.79.108
 unknown United States
15169 GOOGLEUS false
173.194.79.109
 smtp.gmail.com United States
15169 GOOGLEUS false
104.16.155.36
 whatismyipaddress.com United States
13335 CLOUDFLARENETUS false
82.202.167.226
 unknown Russian Federation
29182 THEFIRST-ASRU false

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
whatismyipaddress.com 104.16.155.36 true
smtp.gmail.com 173.194.79.109 true
231.58.0.0.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://whatismyipaddress.com/ false
    		high