Windows Analysis Report
steg.exe

Overview

General Information

Sample Name: steg.exe
Analysis ID: 593806
MD5: 30747bb37997b54d37bae65ae590b7e8
SHA1: d702ffaac8bf35f3372ef2c310b21eef8a91f6ea
SHA256: a39f2e3d1a27bd091c689a09499b374e5f6743de23b42bfd9c7a17c1d49dfad7
Tags: NETexehawkeyekeylogger
Infos:

Detection

HawkEye BrowserPasswordDump Tool EmailPasswordDump Tool
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HawkEye Keylogger
Yara detected AntiVM3
Antivirus detection for dropped file
Yara detected EmailPasswordDump Tool by SecurityXploded
Yara detected BrowserPasswordDump Tool by SecurityXploded
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Installs a global keyboard hook
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: CurrentVersion Autorun Keys Modification
May infect USB drives
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Sigma detected: Suspicious Outbound SMTP Connections
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Contains functionality to query network adapater information
Sigma detected: Autorun Keys Modification
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Avira: detection malicious, Label: TR/Golroted.xous
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Avira: detection malicious, Label: TR/Golroted.xous
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Avira: detection malicious, Label: TR/Spy.Gen
Multi AV Scanner detection for submitted file
Source: steg.exe Virustotal: Detection: 71% Perma Link
Source: steg.exe ReversingLabs: Detection: 88%
Antivirus / Scanner detection for submitted sample
Source: steg.exe Avira: detected
Source: steg.exe Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 88%
Machine Learning detection for sample
Source: steg.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack Avira: Label: TR/Golroted.xous
Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack Avira: Label: TR/Spy.Gen
Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack Avira: Label: TR/Golroted.xous
Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack Avira: Label: TR/Spy.Gen
Source: 14.2.Windows Update.exe.ac0000.0.unpack Avira: Label: TR/Golroted.xous
Source: 14.2.Windows Update.exe.ac0000.0.unpack Avira: Label: TR/Spy.Gen
Source: 14.0.Windows Update.exe.ac0000.0.unpack Avira: Label: TR/Golroted.xous
Source: 14.0.Windows Update.exe.ac0000.0.unpack Avira: Label: TR/Spy.Gen
Source: 4.0.Windows Update.exe.10000.9.unpack Avira: Label: TR/Golroted.xous
Source: 4.0.Windows Update.exe.10000.9.unpack Avira: Label: TR/Spy.Gen
Source: 0.0.steg.exe.f80000.0.unpack Avira: Label: TR/Golroted.xous
Source: 0.0.steg.exe.f80000.0.unpack Avira: Label: TR/Spy.Gen
Source: 4.0.Windows Update.exe.10000.6.unpack Avira: Label: TR/Golroted.xous
Source: 4.0.Windows Update.exe.10000.6.unpack Avira: Label: TR/Spy.Gen
Source: 4.0.Windows Update.exe.10000.0.unpack Avira: Label: TR/Golroted.xous
Source: 4.0.Windows Update.exe.10000.0.unpack Avira: Label: TR/Spy.Gen
Source: 14.0.Windows Update.exe.ac0000.9.unpack Avira: Label: TR/Golroted.xous
Source: 14.0.Windows Update.exe.ac0000.9.unpack Avira: Label: TR/Spy.Gen
Source: 14.0.Windows Update.exe.ac0000.3.unpack Avira: Label: TR/Golroted.xous
Source: 14.0.Windows Update.exe.ac0000.3.unpack Avira: Label: TR/Spy.Gen
Source: 4.0.Windows Update.exe.10000.3.unpack Avira: Label: TR/Golroted.xous
Source: 4.0.Windows Update.exe.10000.3.unpack Avira: Label: TR/Spy.Gen
Source: 14.0.Windows Update.exe.ac0000.6.unpack Avira: Label: TR/Golroted.xous
Source: 14.0.Windows Update.exe.ac0000.6.unpack Avira: Label: TR/Spy.Gen
Source: 0.2.steg.exe.f80000.0.unpack Avira: Label: TR/Golroted.xous
Source: 0.2.steg.exe.f80000.0.unpack Avira: Label: TR/Spy.Gen
Source: 4.2.Windows Update.exe.10000.0.unpack Avira: Label: TR/Golroted.xous
Source: 4.2.Windows Update.exe.10000.0.unpack Avira: Label: TR/Spy.Gen
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.16.155.36:443 -> 192.168.2.4:49770 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.16.155.36:443 -> 192.168.2.4:49779 version: TLS 1.0
Uses 32bit PE files
Source: steg.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\steg.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: steg.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbfX source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb] z source: Windows Update.exe, 0000000E.00000002.360415585.00000000074C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.357606780.00000000011EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Roaming\Windows Update.PDB source: Windows Update.exe, 0000000E.00000002.360415585.00000000074C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb* source: Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbT source: Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 1ioC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbndows Update.exe source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbf source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\dll\mscorlib.pdb* source: Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb 1X source: Windows Update.exe, 0000000E.00000002.360415585.00000000074C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: rlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\dll\mscorlib.pdbf source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp
May infect USB drives
Source: steg.exe Binary or memory string: autorun.inf
Source: steg.exe Binary or memory string: [autorun]
Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: autorun.inf
Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: [autorun]
Source: steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Windows Update.exe Binary or memory string: autorun.inf
Source: Windows Update.exe Binary or memory string: [autorun]
Source: Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: autorun.inf
Source: Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: [autorun]
Source: Windows Update.exe, 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Windows Update.exe, 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Windows Update.exe, 00000004.00000002.302693901.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Windows Update.exe, 00000004.00000002.302693901.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: Windows Update.exe Binary or memory string: [autorun]
Source: Windows Update.exe Binary or memory string: autorun.inf
Source: Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: autorun.inf
Source: Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: [autorun]
Source: Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: steg.exe Binary or memory string: autorun.inf
Source: steg.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe.4.dr Binary or memory string: autorun.inf
Source: WindowsUpdate.exe.4.dr Binary or memory string: [autorun]
Source: Windows Update.exe.0.dr Binary or memory string: autorun.inf
Source: Windows Update.exe.0.dr Binary or memory string: [autorun]
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\steg.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 0_2_03370728
Source: C:\Users\user\Desktop\steg.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 0_2_033714C8
Source: C:\Users\user\Desktop\steg.exe Code function: 4x nop then jmp 03371A7Bh 0_2_033719B8
Source: C:\Users\user\Desktop\steg.exe Code function: 4x nop then jmp 03371A7Bh 0_2_033719A8
Source: C:\Users\user\Desktop\steg.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 0_2_03371800
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then jmp 04BA1A7Bh 12_2_04BA19B8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 12_2_04BA0728
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then jmp 04BA1A7Bh 12_2_04BA19A8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 12_2_04BA1800
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 12_2_04BA14C8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 14_2_053A6228
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 14_2_053A0728
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 14_2_053A6218
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 14_2_053A1800
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then jmp 053A1A7Bh 14_2_053A19B8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then jmp 053A1A7Bh 14_2_053A19A8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then mov esp, ebp 14_2_053A4780
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 14_2_053A14C8

Networking
barindex
May check the online IP address of the machine
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.16.155.36:443 -> 192.168.2.4:49770 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.16.155.36:443 -> 192.168.2.4:49779 version: TLS 1.0
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49771 -> 108.177.127.109:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49771 -> 108.177.127.109:587
Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr String found in binary or memory: http://192.99.212.64/WebPanel/log.php?username=
Source: Windows Update.exe, 0000000E.00000002.358146560.0000000001249000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360008316.000000000382A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0
Source: Windows Update.exe String found in binary or memory: http://digg.com
Source: Windows Update.exe String found in binary or memory: http://dyn.com/dns/
Source: steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr String found in binary or memory: http://dyn.com/dns//
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360008316.000000000382A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360008316.000000000382A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: Windows Update.exe.0.dr String found in binary or memory: http://securityxploded.com/browser-password-dump.php
Source: Windows Update.exe.0.dr String found in binary or memory: http://securityxploded.com/email-password-dump.php
Source: Windows Update.exe String found in binary or memory: http://slashdot.org/bookmark.pl
Source: Windows Update.exe String found in binary or memory: http://twitter.com/
Source: Windows Update.exe, 00000004.00000002.301961765.000000000276D000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359319845.00000000033DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: Windows Update.exe, Windows Update.exe, 0000000E.00000002.359319845.00000000033DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://whatismyipaddress.com/
Source: steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr String found in binary or memory: http://whatismyipaddress.com/-
Source: Windows Update.exe, 0000000E.00000002.359863532.00000000037CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://whatismyipaddress.comx&#q
Source: Windows Update.exe, 00000004.00000002.301961765.000000000276D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://whatismyipaddress.comx&#qH
Source: Windows Update.exe.0.dr String found in binary or memory: http://www.SecurityXploded.com
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: steg.exe, 00000000.00000002.282794330.0000000001727000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: steg.exe, 00000000.00000002.282794330.0000000001727000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comceta
Source: steg.exe, 00000000.00000002.282794330.0000000001727000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.como
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: steg.exe, 00000000.00000003.243241778.0000000005B88000.00000004.00000800.00020000.00000000.sdmp, steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Windows Update.exe String found in binary or memory: http://www.linkedin.com/
Source: Windows Update.exe String found in binary or memory: http://www.myspace.com
Source: Windows Update.exe String found in binary or memory: http://www.reddit.com/login
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: steg.exe, 00000000.00000003.238498642.0000000005B9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.coman
Source: steg.exe, 00000000.00000003.238498642.0000000005B9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.come
Source: steg.exe, 00000000.00000003.238498642.0000000005B9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comr
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Windows Update.exe String found in binary or memory: http://www.stumbleupon.com/sign_up.php
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: steg.exe, 00000000.00000003.243445751.0000000005B88000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com-
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr String found in binary or memory: https://000001BB00000050.oeaccount
Source: Windows Update.exe String found in binary or memory: https://accounts.google.com/servicelogin
Source: Windows Update.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: Windows Update.exe String found in binary or memory: https://my.screenname.aol.com/_cqr/login/login.psp
Source: Windows Update.exe String found in binary or memory: https://myspace.com
Source: Windows Update.exe String found in binary or memory: https://pinterest.com/login/
Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: Windows Update.exe String found in binary or memory: https://signin.ebay.com/ws/ebayisapi.dll
Source: Windows Update.exe, 0000000E.00000002.360008316.000000000382A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/mail/?p=BadCredentials
Source: Windows Update.exe, 0000000E.00000002.360008316.000000000382A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/mail/?p=WantAuthError
Source: Windows Update.exe String found in binary or memory: https://twitter.com/
Source: Windows Update.exe, 00000004.00000002.302601416.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359863532.00000000037CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://whatismyipaddress.com
Source: Windows Update.exe, 0000000E.00000002.359863532.00000000037CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://whatismyipaddress.com/
Source: Windows Update.exe, 00000004.00000002.302601416.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359863532.00000000037CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://whatismyipaddress.comx&#q
Source: Windows Update.exe String found in binary or memory: https://www.amazon.com/ap/signin/190-9059340-4656153
Source: Windows Update.exe String found in binary or memory: https://www.amazon.com/gp/css/homepage.html
Source: Windows Update.exe, 00000004.00000002.302601416.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359863532.00000000037CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: Windows Update.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr String found in binary or memory: https://www.noip.com/
Source: unknown DNS traffic detected: queries for: 140.244.14.0.in-addr.arpa
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_012BA09A recv, 14_2_012BA09A
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 22 Mar 2022 02:35:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Chl-Bypass: 1Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTX-Frame-Options: SAMEORIGINExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Set-Cookie: __cf_bm=3T2zMhWJGUJiFvFygp4Ze35_fGFAV8AUcX3bmxdV52o-1647916550-0-AY8ARkBKAY0npUTkZLgdxWJqOZhqmSjbY7aXc+zs0c6A/7TMhypnyvrbA2CHANpeBLYSTVgqKfJygLjIYrQUBFI=; path=/; expires=Tue, 22-Mar-22 03:05:50 GMT; domain=.whatismyipaddress.com; HttpOnly; SecureServer: cloudflareCF-RAY: 6efb89487ef75c7a-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 22 Mar 2022 02:36:16 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Chl-Bypass: 1Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTX-Frame-Options: SAMEORIGINExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Set-Cookie: __cf_bm=hUhD2UdX9KkVERfiV5SDQBrwmWvqrKnJHnrZS9gL4WQ-1647916576-0-Af8AuUM/CWRh6nfYYBFJyHJJ4OBNTTTEmP62nrYSdhQuKojNAEw1zeh8LNsfpa7olf2S2L1utyAPIOltIVpa2lM=; path=/; expires=Tue, 22-Mar-22 03:06:16 GMT; domain=.whatismyipaddress.com; HttpOnly; SecureServer: cloudflareCF-RAY: 6efb89ea99529064-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: Windows Update.exe.0.dr String found in binary or memory: SetEnvironmentVariableAOLEAUT32.dllhttp://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.facebook.com (Facebook)
Source: steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr String found in binary or memory: SetEnvironmentVariableAOLEAUT32.dllhttp://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.linkedin.com (Linkedin)
Source: Windows Update.exe.0.dr String found in binary or memory: SetEnvironmentVariableAOLEAUT32.dllhttp://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.myspace.com (Myspace)
Source: Windows Update.exe.0.dr String found in binary or memory: SetEnvironmentVariableAOLEAUT32.dllhttp://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.twitter.com (Twitter)
Source: steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr String found in binary or memory: SetEnvironmentVariableAOLEAUT32.dllhttp://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.yahoo.com (Yahoo)
Source: Windows Update.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: Windows Update.exe String found in binary or memory: http://www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: Windows Update.exe String found in binary or memory: http://www.myspace.com equals www.myspace.com (Myspace)
Source: Windows Update.exe String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: steg.exe, type: SAMPLE
Source: Yara match File source: 4.2.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.acb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.b4d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.359909884.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.324470514.0000000000915000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.302645603.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: steg.exe PID: 6544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 7000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5876, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Installs a global keyboard hook
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe Jump to behavior
Contains functionality to log keystrokes (.Net Source)
Source: steg.exe, Form1.cs .Net Code: HookKeyboard
Source: Windows Update.exe.0.dr, Form1.cs .Net Code: HookKeyboard
Source: 0.0.steg.exe.f80000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 0.2.steg.exe.f80000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: WindowsUpdate.exe.4.dr, Form1.cs .Net Code: HookKeyboard
Source: 4.0.Windows Update.exe.10000.9.unpack, Form1.cs .Net Code: HookKeyboard
Source: 4.0.Windows Update.exe.10000.6.unpack, Form1.cs .Net Code: HookKeyboard
Source: 4.0.Windows Update.exe.10000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 4.0.Windows Update.exe.10000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 4.2.Windows Update.exe.10000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 14.2.Windows Update.exe.ac0000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 14.0.Windows Update.exe.ac0000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 14.0.Windows Update.exe.ac0000.9.unpack, Form1.cs .Net Code: HookKeyboard
Source: 14.0.Windows Update.exe.ac0000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 14.0.Windows Update.exe.ac0000.6.unpack, Form1.cs .Net Code: HookKeyboard
Creates a DirectInput object (often for capturing keystrokes)
Source: steg.exe, 00000000.00000002.282881047.000000000177A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
One or more processes crash
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2708
Detected potential crypto function
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FDE077 0_2_00FDE077
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FF8070 0_2_00FF8070
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00F9B2E7 0_2_00F9B2E7
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00F9C2C7 0_2_00F9C2C7
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00F90287 0_2_00F90287
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00F90397 0_2_00F90397
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FAC387 0_2_00FAC387
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00F9E337 0_2_00F9E337
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FC64F7 0_2_00FC64F7
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00F9F4F7 0_2_00F9F4F7
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FF7590 0_2_00FF7590
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FBA6E7 0_2_00FBA6E7
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FAB6E7 0_2_00FAB6E7
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FC46C7 0_2_00FC46C7
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FC7627 0_2_00FC7627
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FF87EC 0_2_00FF87EC
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FA2707 0_2_00FA2707
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FE4987 0_2_00FE4987
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_010798D1 0_2_010798D1
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FCFAC7 0_2_00FCFAC7
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FE3A57 0_2_00FE3A57
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00F8FA17 0_2_00F8FA17
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00F8FB27 0_2_00F8FB27
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FF7B00 0_2_00FF7B00
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FA7C87 0_2_00FA7C87
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FD2C77 0_2_00FD2C77
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FCDC27 0_2_00FCDC27
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FDFD97 0_2_00FDFD97
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FF4D00 0_2_00FF4D00
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00F93EC7 0_2_00F93EC7
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00F8FFF7 0_2_00F8FFF7
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FE7FC7 0_2_00FE7FC7
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FF9F2B 0_2_00FF9F2B
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FB4F07 0_2_00FB4F07
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_03371E53 0_2_03371E53
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_0006E077 4_2_0006E077
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_00088070 4_2_00088070
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_000FD0AC 4_2_000FD0AC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_000DB0DC 4_2_000DB0DC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_00020287 4_2_00020287
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_000C02CC 4_2_000C02CC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_0002C2C7 4_2_0002C2C7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_0002B2E7 4_2_0002B2E7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_0002E337 4_2_0002E337
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_0003C387 4_2_0003C387
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_00020397 4_2_00020397
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_000564F7 4_2_000564F7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_0002F4F7 4_2_0002F4F7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_000F950C 4_2_000F950C
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_00087590 4_2_00087590
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_000F85DC 4_2_000F85DC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_00057627 4_2_00057627
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_000546C7 4_2_000546C7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_0004A6E7 4_2_0004A6E7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_0003B6E7 4_2_0003B6E7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_00032707 4_2_00032707
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_000887EC 4_2_000887EC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_001098D1 4_2_001098D1
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_00074987 4_2_00074987
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_0001FA17 4_2_0001FA17
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_00073A57 4_2_00073A57
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_0005FAC7 4_2_0005FAC7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_00087B00 4_2_00087B00
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_0001FB27 4_2_0001FB27
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_000F2BFC 4_2_000F2BFC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_0005DC27 4_2_0005DC27
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_00062C77 4_2_00062C77
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_00037C87 4_2_00037C87
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_00084D00 4_2_00084D00
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_00338070 12_2_00338070
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_0031E077 12_2_0031E077
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_003AD0AC 12_2_003AD0AC
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002D0287 12_2_002D0287
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002DB2E7 12_2_002DB2E7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002DC2C7 12_2_002DC2C7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002DE337 12_2_002DE337
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002EC387 12_2_002EC387
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002D0397 12_2_002D0397
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_003064F7 12_2_003064F7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002DF4F7 12_2_002DF4F7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_00337590 12_2_00337590
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_00307627 12_2_00307627
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002FA6E7 12_2_002FA6E7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002EB6E7 12_2_002EB6E7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_003046C7 12_2_003046C7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002E2707 12_2_002E2707
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_003387EC 12_2_003387EC
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_003B98D1 12_2_003B98D1
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_00324987 12_2_00324987
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002CFA17 12_2_002CFA17
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_00323A57 12_2_00323A57
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_0030FAC7 12_2_0030FAC7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002CFB27 12_2_002CFB27
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_00337B00 12_2_00337B00
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_0030DC27 12_2_0030DC27
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_00312C77 12_2_00312C77
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002E7C87 12_2_002E7C87
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_00334D00 12_2_00334D00
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_0031FD97 12_2_0031FD97
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002D3EC7 12_2_002D3EC7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_00339F2B 12_2_00339F2B
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002F4F07 12_2_002F4F07
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_002CFFF7 12_2_002CFFF7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_00327FC7 12_2_00327FC7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_04BA1E53 12_2_04BA1E53
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B38070 14_2_00B38070
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B1E077 14_2_00B1E077
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00AD0287 14_2_00AD0287
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00ADB2E7 14_2_00ADB2E7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00ADC2C7 14_2_00ADC2C7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00AEC387 14_2_00AEC387
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00AD0397 14_2_00AD0397
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00ADE337 14_2_00ADE337
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B064F7 14_2_00B064F7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00ADF4F7 14_2_00ADF4F7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B37590 14_2_00B37590
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00AFA6E7 14_2_00AFA6E7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00AEB6E7 14_2_00AEB6E7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B07627 14_2_00B07627
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B046C7 14_2_00B046C7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B07627 14_2_00B07627
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B387EC 14_2_00B387EC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00AE2707 14_2_00AE2707
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00BB98D1 14_2_00BB98D1
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B24987 14_2_00B24987
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B0FAC7 14_2_00B0FAC7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00ACFA17 14_2_00ACFA17
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B23A57 14_2_00B23A57
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00ACFB27 14_2_00ACFB27
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B37B00 14_2_00B37B00
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00AE7C87 14_2_00AE7C87
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B0DC27 14_2_00B0DC27
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B12C77 14_2_00B12C77
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B1FD97 14_2_00B1FD97
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B34D00 14_2_00B34D00
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00AD3EC7 14_2_00AD3EC7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00ACFFF7 14_2_00ACFFF7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B27FC7 14_2_00B27FC7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B39F2B 14_2_00B39F2B
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00AF4F07 14_2_00AF4F07
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_053A5C18 14_2_053A5C18
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_053A5C13 14_2_053A5C13
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_053A1C60 14_2_053A1C60
PE file contains strange resources
Source: steg.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: steg.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: steg.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: security.dll Jump to behavior
Uses 32bit PE files
Source: steg.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: steg.exe, type: SAMPLE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.2.Windows Update.exe.9d97c.1.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 12.2.WindowsUpdate.exe.2cb377.2.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.1b377.2.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 12.0.WindowsUpdate.exe.2cb377.2.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.2.Windows Update.exe.1b377.2.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.acb377.8.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.2.Windows Update.exe.acb377.2.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.2.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.10000.9.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.b4d97c.4.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.acb377.1.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.1b377.4.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.9d97c.8.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 0.0.steg.exe.f8b377.2.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 0.0.steg.exe.100d97c.1.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.10000.6.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.1b377.11.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.b4d97c.11.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.b4d97c.2.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 12.0.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.2.Windows Update.exe.b4d97c.1.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 0.0.steg.exe.f80000.0.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.b4d97c.11.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.b4d97c.7.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 0.0.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.b4d97c.2.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.1.Windows Update.exe.1b377.0.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.1b377.7.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.b4d97c.7.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.9d97c.10.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.1b377.7.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.2.Windows Update.exe.acb377.2.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.acb377.10.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.9d97c.1.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.acb377.8.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.2.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 0.2.steg.exe.100d97c.1.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.2.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.acb377.1.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.1b377.4.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 0.2.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.1.Windows Update.exe.1b377.0.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 12.2.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.ac0000.9.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.b4d97c.4.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 12.2.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.1.Windows Update.exe.9d97c.1.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 12.0.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.1.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 0.2.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.2.Windows Update.exe.b4d97c.1.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 12.0.WindowsUpdate.exe.34d97c.1.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 0.2.steg.exe.f8b377.2.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.1b377.11.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.ac0000.3.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.9d97c.5.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.9d97c.5.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 0.0.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.9d97c.10.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.acb377.5.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.acb377.5.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.10000.3.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 12.2.WindowsUpdate.exe.34d97c.1.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.0.Windows Update.exe.9d97c.8.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.ac0000.6.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 14.0.Windows Update.exe.acb377.10.raw.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 0.2.steg.exe.f80000.0.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.2.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: String function: 00B2EC57 appears 43 times
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: String function: 0007EC57 appears 38 times
Source: C:\Users\user\Desktop\steg.exe Code function: String function: 00FEEC57 appears 43 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 0032EC57 appears 43 times
Sample file is different than original file name gathered from version info
Source: steg.exe Binary or memory string: OriginalFilename vs steg.exe
Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameStub.exe, vs steg.exe
Source: steg.exe, 00000000.00000002.282881047.000000000177A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs steg.exe
Source: steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStub.exe, vs steg.exe
Source: steg.exe Binary or memory string: OriginalFilenameStub.exe, vs steg.exe
Source: steg.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\steg.exe File created: C:\Users\user\AppData\Roaming\Windows Update.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/15@9/3
Source: C:\Users\user\Desktop\steg.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.0.Windows Update.exe.10000.6.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.Windows Update.exe.ac0000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.2.Windows Update.exe.ac0000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.Windows Update.exe.ac0000.6.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: steg.exe, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.0.Windows Update.exe.10000.9.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.2.Windows Update.exe.10000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Windows Update.exe.0.dr, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.Windows Update.exe.ac0000.9.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: WindowsUpdate.exe.4.dr, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.steg.exe.f80000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.steg.exe.f80000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.0.Windows Update.exe.10000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.Windows Update.exe.ac0000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.0.Windows Update.exe.10000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: steg.exe Virustotal: Detection: 71%
Source: steg.exe ReversingLabs: Detection: 88%
Source: C:\Users\user\Desktop\steg.exe File read: C:\Users\user\Desktop\steg.exe Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\steg.exe "C:\Users\user\Desktop\steg.exe"
Source: C:\Users\user\Desktop\steg.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2708
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2676
Source: C:\Users\user\Desktop\steg.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2708 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2676 Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_05523C92 AdjustTokenPrivileges, 14_2_05523C92
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_05523C5B AdjustTokenPrivileges, 14_2_05523C5B
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\steg.exe File created: C:\Users\user\AppData\Local\Temp\SysInfo.txt Jump to behavior
Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Windows Update.exe, 00000004.00000001.280458737.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Windows Update.exe, 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr Binary or memory string: select * from logins where blacklisted_by_user=0;
Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Windows Update.exe, 00000004.00000001.280458737.0000000000012000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr Binary or memory string: select * from moz_logins;/signons.txt/signons2.txt/signons3.txt\signons.sqlite#2c#2d---nss3.dllNSS_InitNSS_ShutdownPK11_GetInternalKeySlotPK11_FreeSlotPK11_AuthenticatePK11SDR_DecryptPK11_CheckUserPassword0
Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Windows Update.exe, 0000000E.00000003.351328752.0000000007544000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr Binary or memory string: select * from moz_logins;
Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\steg.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: steg.exe, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: Windows Update.exe.0.dr, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: 0.0.steg.exe.f80000.0.unpack, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: 0.2.steg.exe.f80000.0.unpack, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: WindowsUpdate.exe.4.dr, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: 4.0.Windows Update.exe.10000.9.unpack, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: 4.0.Windows Update.exe.10000.6.unpack, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: 4.0.Windows Update.exe.10000.0.unpack, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: 4.0.Windows Update.exe.10000.3.unpack, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: 4.2.Windows Update.exe.10000.0.unpack, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: 14.2.Windows Update.exe.ac0000.0.unpack, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: 14.0.Windows Update.exe.ac0000.0.unpack, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: 14.0.Windows Update.exe.ac0000.9.unpack, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: 14.0.Windows Update.exe.ac0000.3.unpack, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: 14.0.Windows Update.exe.ac0000.6.unpack, Form1.cs Base64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: steg.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: steg.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: steg.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: steg.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: Windows Update.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Windows Update.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Windows Update.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Windows Update.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: steg.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Users\user\Desktop\steg.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: steg.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: steg.exe Static file information: File size 1167872 > 1048576
Source: steg.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x119c00
Source: steg.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbfX source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb] z source: Windows Update.exe, 0000000E.00000002.360415585.00000000074C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.357606780.00000000011EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Roaming\Windows Update.PDB source: Windows Update.exe, 0000000E.00000002.360415585.00000000074C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb* source: Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbT source: Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 1ioC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbndows Update.exe source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbf source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\dll\mscorlib.pdb* source: Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb 1X source: Windows Update.exe, 0000000E.00000002.360415585.00000000074C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: rlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\dll\mscorlib.pdbf source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: steg.exe, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.0.dr, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.steg.exe.f80000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.steg.exe.f80000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.4.dr, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Windows Update.exe.10000.9.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Windows Update.exe.10000.6.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Windows Update.exe.10000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Windows Update.exe.10000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Windows Update.exe.10000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.Windows Update.exe.ac0000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.Windows Update.exe.ac0000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.Windows Update.exe.ac0000.9.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.Windows Update.exe.ac0000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.Windows Update.exe.ac0000.6.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_01072941 push ecx; ret 0_2_01072954
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FEEC9C push ecx; ret 0_2_00FEECAF
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_00102941 push ecx; ret 4_2_00102954
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4_2_0007EC9C push ecx; ret 4_2_0007ECAF
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_003B2941 push ecx; ret 12_2_003B2954
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_0032EC9C push ecx; ret 12_2_0032ECAF
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 12_2_0254049C push ebx; retf 12_2_0254049D
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00BB2941 push ecx; ret 14_2_00BB2954
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_00B2EC9C push ecx; ret 14_2_00B2ECAF
Drops PE files
Source: C:\Users\user\Desktop\steg.exe File created: C:\Users\user\AppData\Roaming\Windows Update.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5876, type: MEMORYSTR
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Function Chain: threadCreated,threadResumed,threadDelayed,threadDelayed,threadInformationSet,threadCreated,threadInformationSet,threadResumed,memAlloc,memAlloc,threadDelayed,processSet,processSet,threadDelayed,windowEnumerated,messagePosted,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,networkSend,deviceIO
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\steg.exe TID: 6616 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 3600 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5908 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5908 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5908 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5164 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 1728 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6884 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6884 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6884 Thread sleep time: -100000s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\steg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Contains functionality to query network adapater information
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: GetAdaptersInfo, 14_2_055217D6
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: GetAdaptersInfo, 14_2_055217B4
Source: C:\Users\user\Desktop\steg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 100000 Jump to behavior
Source: Windows Update.exe, 0000000E.00000002.357606780.00000000011EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/o
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 14_2_053A6358 LdrInitializeThunk, 14_2_053A6358
Source: C:\Users\user\Desktop\steg.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: steg.exe, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: steg.exe, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: steg.exe, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: Windows Update.exe.0.dr, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: Windows Update.exe.0.dr, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: Windows Update.exe.0.dr, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 0.0.steg.exe.f80000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.0.steg.exe.f80000.0.unpack, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 0.0.steg.exe.f80000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 0.2.steg.exe.f80000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.2.steg.exe.f80000.0.unpack, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 0.2.steg.exe.f80000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: WindowsUpdate.exe.4.dr, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: WindowsUpdate.exe.4.dr, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: WindowsUpdate.exe.4.dr, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 4.0.Windows Update.exe.10000.9.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 4.0.Windows Update.exe.10000.9.unpack, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 4.0.Windows Update.exe.10000.9.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 4.0.Windows Update.exe.10000.6.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 4.0.Windows Update.exe.10000.6.unpack, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 4.0.Windows Update.exe.10000.6.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 4.0.Windows Update.exe.10000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 4.0.Windows Update.exe.10000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 4.0.Windows Update.exe.10000.0.unpack, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 4.0.Windows Update.exe.10000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 4.0.Windows Update.exe.10000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 4.0.Windows Update.exe.10000.3.unpack, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 4.2.Windows Update.exe.10000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 4.2.Windows Update.exe.10000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 4.2.Windows Update.exe.10000.0.unpack, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 14.2.Windows Update.exe.ac0000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 14.2.Windows Update.exe.ac0000.0.unpack, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 14.2.Windows Update.exe.ac0000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 14.0.Windows Update.exe.ac0000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 14.0.Windows Update.exe.ac0000.0.unpack, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 14.0.Windows Update.exe.ac0000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 14.0.Windows Update.exe.ac0000.9.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 14.0.Windows Update.exe.ac0000.9.unpack, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 14.0.Windows Update.exe.ac0000.9.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 14.0.Windows Update.exe.ac0000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 14.0.Windows Update.exe.ac0000.3.unpack, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: 14.0.Windows Update.exe.ac0000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 14.0.Windows Update.exe.ac0000.6.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 14.0.Windows Update.exe.ac0000.6.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 14.0.Windows Update.exe.ac0000.6.unpack, RunPEx.cs Reference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\steg.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2708 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2676 Jump to behavior
Source: Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [Program Manager - X1
Source: Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerP
Source: Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [Program Manager - 3/22/2022 4:04:32 AM]
Source: Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [Program Manager - 3/22/2022 4:04:32 AM
Source: Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [Program Manager
Source: Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: qedProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\steg.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\steg.exe Code function: 0_2_00FEB5AE cpuid 0_2_00FEB5AE
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
AV process strings found (often used to terminate AV products)
Source: Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: steg.exe, type: SAMPLE
Source: Yara match File source: 4.2.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.acb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.b4d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.359909884.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.324470514.0000000000915000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.302645603.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: steg.exe PID: 6544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 7000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5876, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Yara detected EmailPasswordDump Tool by SecurityXploded
Source: Yara match File source: steg.exe, type: SAMPLE
Source: Yara match File source: 4.2.Windows Update.exe.9d97c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.100d97c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.b4d97c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.acb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.100d97c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.Windows Update.exe.1b377.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.Windows Update.exe.9d97c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.b4d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.34d97c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.34d97c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.324470514.0000000000915000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.280458737.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.351328752.0000000007544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: steg.exe PID: 6544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 7000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5876, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Yara detected BrowserPasswordDump Tool by SecurityXploded
Source: Yara match File source: steg.exe, type: SAMPLE
Source: Yara match File source: 12.2.WindowsUpdate.exe.2cb377.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.2cb377.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Windows Update.exe.1b377.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.acb377.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.f8b377.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.Windows Update.exe.1b377.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.acb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.Windows Update.exe.1b377.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.f8b377.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.280458737.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: steg.exe PID: 6544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 7000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5876, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Yara detected Credential Stealer
Source: Yara match File source: steg.exe, type: SAMPLE
Source: Yara match File source: 4.0.Windows Update.exe.10000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.acb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: steg.exe PID: 6544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 7000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5876, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: steg.exe, type: SAMPLE
Source: Yara match File source: 4.2.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.acb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.1b377.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.b4d97c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.b4d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.9d97c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.ac0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Windows Update.exe.acb377.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.steg.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.359909884.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.324470514.0000000000915000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.302645603.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: steg.exe PID: 6544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 7000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5876, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Detected HawkEye Rat
Source: steg.exe String found in binary or memory: HawkEye_Keylogger_Recoveries_
Source: steg.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: steg.exe String found in binary or memory: HawkEyeKeylogger
Source: steg.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: steg.exe, 00000000.00000002.283184355.00000000036D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HawkEyeKeylogger
Source: steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
Source: steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Recoveries_
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
Source: Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe, 00000004.00000002.301961765.000000000276D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HawkEyeKeylogger|9
Source: Windows Update.exe, 00000004.00000002.301961765.000000000276D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe, 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe, 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe, 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
Source: Windows Update.exe, 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe, 00000004.00000002.302645603.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: Windows Update.exe, 00000004.00000002.301900537.0000000002711000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HawkEyeKeylogger
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Recoveries_
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe String found in binary or memory: HawkEyeKeylogger
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
Source: WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 0000000C.00000002.333848702.0000000002991000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Recoveries_
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: Windows Update.exe, 0000000E.00000002.359319845.00000000033DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HawkEyeKeylogger|9
Source: Windows Update.exe, 0000000E.00000002.359319845.00000000033DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
Source: Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe, 0000000E.00000002.359909884.0000000003801000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: Windows Update.exe, 0000000E.00000002.359194697.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HawkEyeKeylogger
Source: steg.exe String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: steg.exe String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: steg.exe String found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
Source: steg.exe String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe.4.dr String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe.4.dr String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe.4.dr String found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
Source: WindowsUpdate.exe.4.dr String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe.0.dr String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe.0.dr String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe.0.dr String found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
Source: Windows Update.exe.0.dr String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 593806 Sample: steg.exe Startdate: 22/03/2022 Architecture: WINDOWS Score: 100 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 13 other signatures 2->50 7 steg.exe 7 2->7         started        10 WindowsUpdate.exe 7 2->10         started        process3 file4 24 C:\Users\user\AppData\...\Windows Update.exe, PE32 7->24 dropped 26 C:\...\Windows Update.exe:Zone.Identifier, ASCII 7->26 dropped 28 C:\Users\user\AppData\Local\...\steg.exe.log, ASCII 7->28 dropped 13 Windows Update.exe 16 8 7->13         started        30 C:\Users\user\...\WindowsUpdate.exe.log, ASCII 10->30 dropped 52 Antivirus detection for dropped file 10->52 54 Multi AV Scanner detection for dropped file 10->54 56 Machine Learning detection for dropped file 10->56 18 Windows Update.exe 8 10->18         started        signatures5 process6 dnsIp7 36 smtp.gmail.com 108.177.127.109, 49771, 49780, 587 GOOGLEUS United States 13->36 38 whatismyipaddress.com 104.16.155.36, 443, 49769, 49770 CLOUDFLARENETUS United States 13->38 42 2 other IPs or domains 13->42 32 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 13->32 dropped 34 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 13->34 dropped 58 Changes the view of files in windows explorer (hidden files and folders) 13->58 60 Installs a global keyboard hook 13->60 20 dw20.exe 22 6 13->20         started        40 140.244.14.0.in-addr.arpa 18->40 22 dw20.exe 18->22         started        file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.155.36
 whatismyipaddress.com United States
13335 CLOUDFLARENETUS false
108.177.127.109
 smtp.gmail.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
whatismyipaddress.com 104.16.155.36 true
smtp.gmail.com 108.177.127.109 true
140.244.14.0.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://whatismyipaddress.com/ false
    		high
    https://whatismyipaddress.com/ false
      		high