Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Prueba de pago.exe

Overview

General Information

Sample Name:Prueba de pago.exe
Analysis ID:319596
MD5:b3a244a097904a4d6689a582d7ec9985
SHA1:b16032d83c91ee333221fafadd5f2381ca659d78
SHA256:286b416351f4ca6cc215c58692af9be6b9f4eb54c4641160e2a31dfd16c43ec7
Tags:ESPexegeoHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Deletes itself after installation
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • Prueba de pago.exe (PID: 5080 cmdline: 'C:\Users\user\Desktop\Prueba de pago.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
    • Prueba de pago.exe (PID: 2168 cmdline: 'C:\Users\user\Desktop\Prueba de pago.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
      • Windows Update.exe (PID: 5672 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
        • Windows Update.exe (PID: 5388 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
          • dw20.exe (PID: 2220 cmdline: dw20.exe -x -s 2384 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
          • vbc.exe (PID: 6120 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • vbc.exe (PID: 3484 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • WerFault.exe (PID: 4112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 2488 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 6328 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
    • WindowsUpdate.exe (PID: 6392 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
      • Windows Update.exe (PID: 6456 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
        • Windows Update.exe (PID: 6476 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
          • dw20.exe (PID: 7024 cmdline: dw20.exe -x -s 2376 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Windows Update.e_1044ba73b302b1a19e09d2f83986d3c5672f_ffa3413f_105a0017\Report.werSUSP_WER_Suspicious_Crash_DirectoryDetects a crashed application executed in a suspicious directoryFlorian Roth
  • 0x11c:$a1: ReportIdentifier=
  • 0x19e:$a1: ReportIdentifier=
  • 0x75a:$a2: .Name=Fault Module Name
  • 0x4ad8:$a3: AppPath=
  • 0x4ad8:$l4: AppPath=C:\Users\
  • 0x4ad8:$s8: AppPath=C:\Users\user\AppData\Roaming\Windows Update.exe
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x56e54e:$key: HawkEyeKeylogger
  • 0x5707b8:$salt: 099u787978786
  • 0x56ebab:$string1: HawkEye_Keylogger
  • 0x56f9ea:$string1: HawkEye_Keylogger
  • 0x570718:$string1: HawkEye_Keylogger
  • 0x56ef80:$string2: holdermail.txt
  • 0x56efa0:$string2: holdermail.txt
  • 0x56eec2:$string3: wallet.dat
  • 0x56eeda:$string3: wallet.dat
  • 0x56eef0:$string3: wallet.dat
  • 0x5702dc:$string4: Keylog Records
  • 0x5705f4:$string4: Keylog Records
  • 0x570810:$string5: do not script -->
  • 0x56e536:$string6: \pidloc.txt
  • 0x56e5c4:$string7: BSPLIT
  • 0x56e5d4:$string7: BSPLIT
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x56ec03:$hawkstr1: HawkEye Keylogger
    • 0x56fa30:$hawkstr1: HawkEye Keylogger
    • 0x56fd5f:$hawkstr1: HawkEye Keylogger
    • 0x56feba:$hawkstr1: HawkEye Keylogger
    • 0x57001d:$hawkstr1: HawkEye Keylogger
    • 0x5702b4:$hawkstr1: HawkEye Keylogger
    • 0x56e775:$hawkstr2: Dear HawkEye Customers!
    • 0x56fdb2:$hawkstr2: Dear HawkEye Customers!
    • 0x56ff09:$hawkstr2: Dear HawkEye Customers!
    • 0x570070:$hawkstr2: Dear HawkEye Customers!
    • 0x56e896:$hawkstr3: HawkEye Logger Details:

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
      • 0x26a0:$hawkstr1: HawkEye Keylogger
      • 0x20ec:$hawkstr2: Dear HawkEye Customers!
      • 0x221e:$hawkstr3: HawkEye Logger Details:
      0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b6e3:$key: HawkEyeKeylogger
      • 0x7d94d:$salt: 099u787978786
      • 0x7bd40:$string1: HawkEye_Keylogger
      • 0x7cb7f:$string1: HawkEye_Keylogger
      • 0x7d8ad:$string1: HawkEye_Keylogger
      • 0x7c115:$string2: holdermail.txt
      • 0x7c135:$string2: holdermail.txt
      • 0x7c057:$string3: wallet.dat
      • 0x7c06f:$string3: wallet.dat
      • 0x7c085:$string3: wallet.dat
      • 0x7d471:$string4: Keylog Records
      • 0x7d789:$string4: Keylog Records
      • 0x7d9a5:$string5: do not script -->
      • 0x7b6cb:$string6: \pidloc.txt
      • 0x7b759:$string7: BSPLIT
      • 0x7b769:$string7: BSPLIT
      0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          Click to see the 200 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.Prueba de pago.exe.2460000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x7b8e3:$key: HawkEyeKeylogger
          • 0x7db4d:$salt: 099u787978786
          • 0x7bf40:$string1: HawkEye_Keylogger
          • 0x7cd7f:$string1: HawkEye_Keylogger
          • 0x7daad:$string1: HawkEye_Keylogger
          • 0x7c315:$string2: holdermail.txt
          • 0x7c335:$string2: holdermail.txt
          • 0x7c257:$string3: wallet.dat
          • 0x7c26f:$string3: wallet.dat
          • 0x7c285:$string3: wallet.dat
          • 0x7d671:$string4: Keylog Records
          • 0x7d989:$string4: Keylog Records
          • 0x7dba5:$string5: do not script -->
          • 0x7b8cb:$string6: \pidloc.txt
          • 0x7b959:$string7: BSPLIT
          • 0x7b969:$string7: BSPLIT
          1.2.Prueba de pago.exe.2460000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            1.2.Prueba de pago.exe.2460000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              1.2.Prueba de pago.exe.2460000.3.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                1.2.Prueba de pago.exe.2460000.3.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
                • 0x7bf98:$hawkstr1: HawkEye Keylogger
                • 0x7cdc5:$hawkstr1: HawkEye Keylogger
                • 0x7d0f4:$hawkstr1: HawkEye Keylogger
                • 0x7d24f:$hawkstr1: HawkEye Keylogger
                • 0x7d3b2:$hawkstr1: HawkEye Keylogger
                • 0x7d649:$hawkstr1: HawkEye Keylogger
                • 0x7bb0a:$hawkstr2: Dear HawkEye Customers!
                • 0x7d147:$hawkstr2: Dear HawkEye Customers!
                • 0x7d29e:$hawkstr2: Dear HawkEye Customers!
                • 0x7d405:$hawkstr2: Dear HawkEye Customers!
                • 0x7bc2b:$hawkstr3: HawkEye Logger Details:
                Click to see the 153 entries

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: Prueba de pago.exe.5080.0.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                Source: Prueba de pago.exe.5080.0.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeReversingLabs: Detection: 43%
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 43%
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeReversingLabs: Detection: 43%
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 43%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: Prueba de pago.exeJoe Sandbox ML: detected
                Source: Prueba de pago.exeJoe Sandbox ML: detected
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 2.2.Windows Update.exe.27d0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 1.2.Prueba de pago.exe.2350000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.Prueba de pago.exe.2350000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 13.2.WindowsUpdate.exe.6b0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 14.2.Windows Update.exe.2700000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 14.2.Windows Update.exe.2700000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 2.2.Windows Update.exe.2820000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 2.2.Windows Update.exe.2820000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.Prueba de pago.exe.2460000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.Prueba de pago.exe.2460000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.Windows Update.exe.2300000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 15.2.Windows Update.exe.2300000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 3.2.Windows Update.exe.2330000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 3.2.Windows Update.exe.2330000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 3.2.Windows Update.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 3.2.Windows Update.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.Windows Update.exe.960000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 15.2.Windows Update.exe.960000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 13.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 13.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 3.2.Windows Update.exe.22a0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 3.2.Windows Update.exe.22a0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 0.2.Prueba de pago.exe.2690000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 11.2.WindowsUpdate.exe.26f0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 13.2.WindowsUpdate.exe.2200000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 13.2.WindowsUpdate.exe.2200000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.Windows Update.exe.8d0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 1.2.Prueba de pago.exe.22c0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 3.2.Windows Update.exe.2210000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 13.2.WindowsUpdate.exe.22b0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 13.2.WindowsUpdate.exe.22b0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.1.Windows Update.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 15.1.Windows Update.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.Windows Update.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 15.2.Windows Update.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.Prueba de pago.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.Prueba de pago.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 14.2.Windows Update.exe.2310000.2.unpackAvira: Label: TR/Crypt.ULPM.Gen
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 2.2.Windows Update.exe.27d0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 1.2.Prueba de pago.exe.2350000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.Prueba de pago.exe.2350000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 13.2.WindowsUpdate.exe.6b0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 14.2.Windows Update.exe.2700000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 14.2.Windows Update.exe.2700000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 2.2.Windows Update.exe.2820000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 2.2.Windows Update.exe.2820000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.Prueba de pago.exe.2460000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.Prueba de pago.exe.2460000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.Windows Update.exe.2300000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 15.2.Windows Update.exe.2300000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 3.2.Windows Update.exe.2330000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 3.2.Windows Update.exe.2330000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 3.2.Windows Update.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 3.2.Windows Update.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.Windows Update.exe.960000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 15.2.Windows Update.exe.960000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 13.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 13.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 3.2.Windows Update.exe.22a0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 3.2.Windows Update.exe.22a0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 0.2.Prueba de pago.exe.2690000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 11.2.WindowsUpdate.exe.26f0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 13.2.WindowsUpdate.exe.2200000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 13.2.WindowsUpdate.exe.2200000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.Windows Update.exe.8d0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 1.2.Prueba de pago.exe.22c0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 3.2.Windows Update.exe.2210000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 13.2.WindowsUpdate.exe.22b0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 13.2.WindowsUpdate.exe.22b0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.1.Windows Update.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 15.1.Windows Update.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.Windows Update.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 15.2.Windows Update.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.Prueba de pago.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.Prueba de pago.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 14.2.Windows Update.exe.2310000.2.unpackAvira: Label: TR/Crypt.ULPM.Gen
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: Prueba de pago.exeBinary or memory string: autorun.inf
                Source: Prueba de pago.exeBinary or memory string: [autorun]
                Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: Windows Update.exeBinary or memory string: autorun.inf
                Source: Windows Update.exeBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WERF1FE.tmp.mdmp.9.drBinary or memory string: autorun.inf
                Source: WERF1FE.tmp.mdmp.9.drBinary or memory string: [autorun]
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: Prueba de pago.exeBinary or memory string: autorun.inf
                Source: Prueba de pago.exeBinary or memory string: [autorun]
                Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: Windows Update.exeBinary or memory string: autorun.inf
                Source: Windows Update.exeBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WERF1FE.tmp.mdmp.9.drBinary or memory string: autorun.inf
                Source: WERF1FE.tmp.mdmp.9.drBinary or memory string: [autorun]
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004089B8 FindFirstFileA,GetLastError,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004089B8 FindFirstFileA,GetLastError,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_004089B8 FindFirstFileA,GetLastError,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,

                Networking:

                barindex
                May check the online IP address of the machineShow sources
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: global trafficTCP traffic: 192.168.2.3:49728 -> 217.76.146.62:587
                Source: global trafficTCP traffic: 192.168.2.3:49728 -> 217.76.146.62:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                Source: global trafficTCP traffic: 192.168.2.3:49728 -> 217.76.146.62:587
                Source: global trafficTCP traffic: 192.168.2.3:49728 -> 217.76.146.62:587
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_021EA186 recv,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_021EA186 recv,
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: Prueba de pago.exe, Windows Update.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000006.00000003.257268952.0000000000A0C000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000006.00000003.257268952.0000000000A0C000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.yahoo.com (Yahoo)
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: Prueba de pago.exe, Windows Update.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000006.00000003.257268952.0000000000A0C000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000006.00000003.257268952.0000000000A0C000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: 49.124.12.0.in-addr.arpa
                Source: unknownDNS traffic detected: queries for: 49.124.12.0.in-addr.arpa
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.
                Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                Source: Prueba de pago.exe, Windows Update.exe, Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, WERF1FE.tmp.mdmp.9.drString found in binary or memory: http://whatismyipaddress.com/-
                Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.comx&
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Prueba de pago.exe, 00000001.00000003.220190167.0000000005171000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: Prueba de pago.exe, 00000001.00000003.219120953.0000000005173000.00000004.00000001.sdmp, Prueba de pago.exe, 00000001.00000003.219169725.0000000005173000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: Prueba de pago.exe, 00000001.00000003.219204649.0000000005173000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comes
                Source: Prueba de pago.exe, 00000001.00000003.219204649.0000000005173000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comg
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: Prueba de pago.exe, 00000001.00000003.219169725.0000000005173000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comre
                Source: Prueba de pago.exe, 00000001.00000003.219204649.0000000005173000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsio
                Source: Prueba de pago.exe, 00000001.00000003.219120953.0000000005173000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comues
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Prueba de pago.exe, 00000001.00000003.227606996.0000000005172000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers)
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Prueba de pago.exe, 00000001.00000003.222925322.0000000005171000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: Prueba de pago.exe, 00000001.00000003.222383609.0000000005172000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersX
                Source: Prueba de pago.exe, 00000001.00000003.222480530.0000000005172000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersc
                Source: Prueba de pago.exe, 00000001.00000003.222111568.0000000005172000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
                Source: Prueba de pago.exe, 00000001.00000003.222071225.0000000005172000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                Source: Prueba de pago.exe, 00000001.00000003.222925322.0000000005171000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                Source: Prueba de pago.exe, 00000001.00000002.232193805.0000000000B10000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF_g
                Source: Prueba de pago.exe, 00000001.00000002.232193805.0000000000B10000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comt
                Source: Prueba de pago.exe, 00000001.00000002.232193805.0000000000B10000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comueno
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: Prueba de pago.exe, 00000001.00000003.218163414.000000000515A000.00000004.00000001.sdmp, Prueba de pago.exe, 00000001.00000003.218282268.0000000005172000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Prueba de pago.exe, 00000001.00000003.218253485.0000000005172000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn$
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: Prueba de pago.exe, 00000001.00000003.218253485.0000000005172000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnT
                Source: Prueba de pago.exe, 00000001.00000003.218163414.000000000515A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnv
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Prueba de pago.exe, 00000001.00000003.224253184.0000000000B1B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmQt
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Prueba de pago.exe, 00000001.00000003.221758265.0000000005176000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                Source: Prueba de pago.exe, 00000001.00000003.227980976.0000000000B1B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.fyB
                Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: Prueba de pago.exe, 00000001.00000003.218985995.0000000005156000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnb
                Source: Prueba de pago.exe, Windows Update.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: Windows Update.exe, 0000000F.00000002.305553059.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                Source: Windows Update.exe, 0000000F.00000002.305535580.0000000002DF8000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
                Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, Windows Update.exe, 0000000F.00000002.305535580.0000000002DF8000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.comx&
                Source: Prueba de pago.exe, Windows Update.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.
                Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                Source: Prueba de pago.exe, Windows Update.exe, Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, WERF1FE.tmp.mdmp.9.drString found in binary or memory: http://whatismyipaddress.com/-
                Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.comx&
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Prueba de pago.exe, 00000001.00000003.220190167.0000000005171000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: Prueba de pago.exe, 00000001.00000003.219120953.0000000005173000.00000004.00000001.sdmp, Prueba de pago.exe, 00000001.00000003.219169725.0000000005173000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: Prueba de pago.exe, 00000001.00000003.219204649.0000000005173000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comes
                Source: Prueba de pago.exe, 00000001.00000003.219204649.0000000005173000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comg
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: Prueba de pago.exe, 00000001.00000003.219169725.0000000005173000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comre
                Source: Prueba de pago.exe, 00000001.00000003.219204649.0000000005173000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsio
                Source: Prueba de pago.exe, 00000001.00000003.219120953.0000000005173000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comues
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Prueba de pago.exe, 00000001.00000003.227606996.0000000005172000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers)
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Prueba de pago.exe, 00000001.00000003.222925322.0000000005171000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: Prueba de pago.exe, 00000001.00000003.222383609.0000000005172000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersX
                Source: Prueba de pago.exe, 00000001.00000003.222480530.0000000005172000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersc
                Source: Prueba de pago.exe, 00000001.00000003.222111568.0000000005172000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
                Source: Prueba de pago.exe, 00000001.00000003.222071225.0000000005172000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                Source: Prueba de pago.exe, 00000001.00000003.222925322.0000000005171000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                Source: Prueba de pago.exe, 00000001.00000002.232193805.0000000000B10000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF_g
                Source: Prueba de pago.exe, 00000001.00000002.232193805.0000000000B10000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comt
                Source: Prueba de pago.exe, 00000001.00000002.232193805.0000000000B10000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comueno
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: Prueba de pago.exe, 00000001.00000003.218163414.000000000515A000.00000004.00000001.sdmp, Prueba de pago.exe, 00000001.00000003.218282268.0000000005172000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Prueba de pago.exe, 00000001.00000003.218253485.0000000005172000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn$
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: Prueba de pago.exe, 00000001.00000003.218253485.0000000005172000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnT
                Source: Prueba de pago.exe, 00000001.00000003.218163414.000000000515A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnv
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Prueba de pago.exe, 00000001.00000003.224253184.0000000000B1B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmQt
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Prueba de pago.exe, 00000001.00000003.221758265.0000000005176000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                Source: Prueba de pago.exe, 00000001.00000003.227980976.0000000000B1B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.fyB
                Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: Prueba de pago.exe, 00000001.00000003.218985995.0000000005156000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnb
                Source: Prueba de pago.exe, Windows Update.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: Windows Update.exe, 0000000F.00000002.305553059.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                Source: Windows Update.exe, 0000000F.00000002.305535580.0000000002DF8000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
                Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, Windows Update.exe, 0000000F.00000002.305535580.0000000002DF8000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.comx&
                Source: Prueba de pago.exe, Windows Update.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.305679255.0000000002E2C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Prueba de pago.exe PID: 5080, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6392, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6456, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5388, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Prueba de pago.exe PID: 2168, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5672, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6476, type: MEMORY
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPED
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Installs a global keyboard hookShow sources
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004070D2 OpenClipboard,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004070D2 OpenClipboard,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004233B4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004233B4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00459724 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00459724 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,
                Source: WindowsUpdate.exe, 0000000B.00000002.275048131.00000000007BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: WindowsUpdate.exe, 0000000B.00000002.275048131.00000000007BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: Yara matchFile source: Process Memory Space: Prueba de pago.exe PID: 5080, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6392, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6456, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5388, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Prueba de pago.exe PID: 2168, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5672, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6476, type: MEMORY

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004557F8 NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0043A6DC NtdllDefWindowProc_A,GetCapture,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0042E904 NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004557F8 NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0043A6DC NtdllDefWindowProc_A,GetCapture,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0042E904 NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_00490159 NtCreateSection,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_004557F8 NtdllDefWindowProc_A,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_0043A6DC NtdllDefWindowProc_A,GetCapture,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_0042E904 NtdllDefWindowProc_A,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_00490159 NtCreateSection,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0044A3C8
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0046F74C
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004759E0
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0044FECC
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0044A3C8
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0046F74C
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004759E0
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0044FECC
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0040D426
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0040D523
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0041D5AE
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_00417646
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_004429BE
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_00446AF4
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0046ABFC
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_00463C4D
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_00463CBE
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0040ED03
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_00463D2F
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_00463DC0
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0040CF92
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0041AFA6
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0048F13D
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_00489976
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_004F9017
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_004F90A8
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_004A227A
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_004B028E
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_004A270E
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0043C7BC
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_0044A3C8
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_0046F74C
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_004759E0
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_0044FECC
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_00489976
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_0048F13D
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_004F9017
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_004F90A8
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_004A227A
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_004B028E
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_004A270E
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_004A280B
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_004B2896
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_004AC92E
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_004D7CA6
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_004DBDDC
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_004FFEE4
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_004F8F35
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_004A3FEB
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_004F8FA6
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_004D1AA4
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: String function: 004035DC appears 35 times
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: String function: 00404348 appears 78 times
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: String function: 004039A8 appears 40 times
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: String function: 004035DC appears 35 times
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: String function: 004E0D85 appears 35 times
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: String function: 00404348 appears 78 times
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: String function: 004039A8 appears 40 times
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: String function: 004035DC appears 35 times
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: String function: 0044BA9D appears 35 times
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: String function: 00404348 appears 78 times
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: String function: 004039A8 appears 40 times
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384
                Source: Prueba de pago.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Prueba de pago.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: Windows Update.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Windows Update.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: WindowsUpdate.exe.3.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: WindowsUpdate.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: Windows Update.exe.13.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Windows Update.exe.13.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: Prueba de pago.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Prueba de pago.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: Windows Update.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Windows Update.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: WindowsUpdate.exe.3.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: WindowsUpdate.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: Windows Update.exe.13.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Windows Update.exe.13.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: Prueba de pago.exe, 00000000.00000002.215435609.00000000023E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Prueba de pago.exe
                Source: Prueba de pago.exeBinary or memory string: OriginalFilename vs Prueba de pago.exe
                Source: Prueba de pago.exeBinary or memory string: OriginalFileName vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000001.00000002.236900578.00000000069E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000001.00000002.236900578.00000000069E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000001.00000002.236774643.00000000068E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000000.00000002.215435609.00000000023E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Prueba de pago.exe
                Source: Prueba de pago.exeBinary or memory string: OriginalFilename vs Prueba de pago.exe
                Source: Prueba de pago.exeBinary or memory string: OriginalFileName vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000001.00000002.236900578.00000000069E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000001.00000002.236900578.00000000069E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Prueba de pago.exe
                Source: Prueba de pago.exe, 00000001.00000002.236774643.00000000068E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Prueba de pago.exe
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Windows Update.e_1044ba73b302b1a19e09d2f83986d3c5672f_ffa3413f_105a0017\Report.wer, type: DROPPEDMatched rule: SUSP_WER_Suspicious_Crash_Directory date = 2019-10-18, author = Florian Roth, description = Detects a crashed application executed in a suspicious directory, reference = https://twitter.com/cyb3rops/status/1185585050059976705, score =
                Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Windows Update.e_1044ba73b302b1a19e09d2f83986d3c5672f_ffa3413f_105a0017\Report.wer, type: DROPPEDMatched rule: SUSP_WER_Suspicious_Crash_Directory date = 2019-10-18, author = Florian Roth, description = Detects a crashed application executed in a suspicious directory, reference = https://twitter.com/cyb3rops/status/1185585050059976705, score =
                Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.csBase64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@23/25@8/3
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00420A80 GetLastError,FormatMessageA,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00420A80 GetLastError,FormatMessageA,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00408B82 GetDiskFreeSpaceA,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00408B82 GetDiskFreeSpaceA,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00417214 FindResourceA,LoadResource,SizeofResource,LockResource,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00417214 FindResourceA,LoadResource,SizeofResource,LockResource,
                Source: C:\Users\user\Desktop\Prueba de pago.exeFile created: C:\Users\user\AppData\Roaming\Windows Update.exeJump to behavior
                Source: C:\Users\user\Desktop\Prueba de pago.exeFile created: C:\Users\user\AppData\Roaming\Windows Update.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5388
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5388
                Source: C:\Users\user\Desktop\Prueba de pago.exeFile created: C:\Users\user\AppData\Local\Temp\SysInfo.txtJump to behavior
                Source: C:\Users\user\Desktop\Prueba de pago.exeFile created: C:\Users\user\AppData\Local\Temp\SysInfo.txtJump to behavior
                Source: C:\Users\user\Desktop\Prueba de pago.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\Prueba de pago.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\Prueba de pago.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\Prueba de pago.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\Prueba de pago.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\Desktop\Prueba de pago.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\Prueba de pago.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\Prueba de pago.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Prueba de pago.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Prueba de pago.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Prueba de pago.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Users\user\Desktop\Prueba de pago.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: C:\Users\user\Desktop\Prueba de pago.exeFile read: C:\Users\user\Desktop\Prueba de pago.exeJump to behavior
                Source: C:\Users\user\Desktop\Prueba de pago.exeFile read: C:\Users\user\Desktop\Prueba de pago.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe'
                Source: unknownProcess created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 2488
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2376
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe'
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2376
                Source: unknownProcess created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe'
                Source: unknownProcess created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 2488
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2376
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe'
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2376
                Source: C:\Users\user\Desktop\Prueba de pago.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                Source: C:\Users\user\Desktop\Prueba de pago.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Prueba de pago.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                Source: C:\Users\user\Desktop\Prueba de pago.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: Prueba de pago.exeStatic file information: File size 1129472 > 1048576
                Source: Prueba de pago.exeStatic file information: File size 1129472 > 1048576
                Source: C:\Users\user\Desktop\Prueba de pago.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                Source: C:\Users\user\Desktop\Prueba de pago.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                Source: Binary string: rsaenh.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wkernel32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: bcrypt.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: ucrtbase.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: ws2_32.pdb0up source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Configuration.pdbKt0 source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wbemcomn.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: Windows Update.exe, 0000000F.00000002.308891234.0000000006730000.00000004.00000001.sdmp
                Source: Binary string: NapiNSP.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: msvcrt.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorlib.pdb:r source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wrpcrt4.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wntdll.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp
                Source: Binary string: dhcpcsvc.pdb=p@ source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: mscoreei.pdbOs source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: powrprof.pdbBuP source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: winnsi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: cryptsp.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: advapi32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: C:\Windows\mscorlib.pdbj source: Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
                Source: Binary string: wsspicli.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: cordacwks.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: C:\Windows\mscorlib.pdbh source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbz\AppData\Roaming\Windows Update.exe8 source: Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbz\AppData\Roaming\Windows Update.exe6 source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp
                Source: Binary string: CLBCatQ.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: ntmarta.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: schannel.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: bj\zTs5.pdb9j source: Prueba de pago.exe, 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, Windows Update.exe, 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, WindowsUpdate.exe, 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp
                Source: Binary string: wwin32u.pdbup source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: cryptsp.pdb`t0 source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: psapi.pdb7u` source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wkernelbase.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: 1?pC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: mscorlib.pdbPVs source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: shlwapi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: version.pdbht source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Windows Update.exe, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp
                Source: Binary string: mscorjit.pdbbt source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Windows Update.exe, 0000000F.00000002.308904330.0000000006742000.00000004.00000001.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Windows Update.exe, vbc.exe, 00000005.00000002.252405021.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp
                Source: Binary string: sxs.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: security.pdbHF0 source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: dwmapi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mZqt usymbols\dll\mscorlib.pdbx source: Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: mscoree.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: Windows.Storage.pdbcw source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: ws2_32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: msasn1.pdb8u source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: nlaapi.pdb+p0 source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: \??\C:\Users\user\AppData\Roaming\Windows Update.PDB source: Windows Update.exe, 00000003.00000002.265730699.00000000006D7000.00000004.00000020.sdmp
                Source: Binary string: iphlpapi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: nsi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: jqt usymbols\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp
                Source: Binary string: wmiutils.pdb_s source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: powrprof.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Configuration.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: ole32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: winnsi.pdb<p source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: security.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: rlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
                Source: Binary string: msasn1.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp, WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: comctl32v582.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: DWrite.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: cfgmgr32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Drawing.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Management.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: combase.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: Windows.Storage.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorrc.pdbJnP source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
                Source: Binary string: secur32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: rasadhlp.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
                Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb/nP source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: dhcpcsvc.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265730699.00000000006D7000.00000004.00000020.sdmp
                Source: Binary string: dwmapi.pdbHt0 source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: pnrpnsp.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: cryptbase.pdbjt source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: NapiNSP.pdb/p source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Runtime.Remoting.pdb"n source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wsspicli.pdbkt source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: pnrpnsp.pdb-p` source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: shcore.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
                Source: Binary string: .pdb* source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: wgdi32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: fltLib.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: shell32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: msvcr80.i386.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: msvcp_win.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: shfolder.pdbit`F source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: dnsapi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: rasapi32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wimm32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wwin32u.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: dnsapi.pdb1p source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: nlaapi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: winhttp.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wUxTheme.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb?p source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorsec.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wmiutils.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: gdiplus.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: rtutils.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: cordacwks.pdbPn source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorwks.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb@ source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: profapi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: dhcpcsvc6.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: Kernel.Appcore.pdbGu source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wgdi32full.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorjit.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: sechost.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscoree.pdbWsP source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: shfolder.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wgdi32full.pdbmt@ source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: rasman.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: fastprox.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wbemsvc.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: winrnr.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: msctf.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp
                Source: Binary string: System.Runtime.Remoting.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wmswsock.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: version.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wintrust.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: rsaenh.pdb]t source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Xml.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorrc.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wbemcomn.pdbbs source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Windows.Forms.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: Kernel.Appcore.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: psapi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: WMINet_Utils.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: fwpuclnt.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 0000000F.00000002.303054120.00000000006B4000.00000004.00000020.sdmp
                Source: Binary string: bcrypt.pdb[t source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wbemprox.pdbas source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Management.pdbX source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: cryptbase.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: winrnr.pdb*p source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wuser32.pdb@w source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscoreei.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: bcryptprimitives.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: msvcp_win.pdb[w source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: oleaut32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wuser32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: \??\C:\Windows\mscorlib.pdb{ source: Windows Update.exe, 00000003.00000002.265730699.00000000006D7000.00000004.00000020.sdmp
                Source: Binary string: wbemprox.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
                Source: Binary string: culture.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: crypt32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: edputil.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: rsaenh.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wkernel32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: bcrypt.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: ucrtbase.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: ws2_32.pdb0up source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Configuration.pdbKt0 source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wbemcomn.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: Windows Update.exe, 0000000F.00000002.308891234.0000000006730000.00000004.00000001.sdmp
                Source: Binary string: NapiNSP.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: msvcrt.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorlib.pdb:r source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wrpcrt4.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wntdll.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp
                Source: Binary string: dhcpcsvc.pdb=p@ source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: mscoreei.pdbOs source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: powrprof.pdbBuP source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: winnsi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: cryptsp.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: advapi32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: C:\Windows\mscorlib.pdbj source: Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
                Source: Binary string: wsspicli.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: cordacwks.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: C:\Windows\mscorlib.pdbh source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbz\AppData\Roaming\Windows Update.exe8 source: Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbz\AppData\Roaming\Windows Update.exe6 source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp
                Source: Binary string: CLBCatQ.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: ntmarta.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: schannel.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: bj\zTs5.pdb9j source: Prueba de pago.exe, 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, Windows Update.exe, 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, WindowsUpdate.exe, 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp
                Source: Binary string: wwin32u.pdbup source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: cryptsp.pdb`t0 source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: psapi.pdb7u` source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wkernelbase.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: 1?pC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: mscorlib.pdbPVs source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: shlwapi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: version.pdbht source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Windows Update.exe, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp
                Source: Binary string: mscorjit.pdbbt source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Windows Update.exe, 0000000F.00000002.308904330.0000000006742000.00000004.00000001.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Windows Update.exe, vbc.exe, 00000005.00000002.252405021.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp
                Source: Binary string: sxs.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: security.pdbHF0 source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: dwmapi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mZqt usymbols\dll\mscorlib.pdbx source: Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: mscoree.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: Windows.Storage.pdbcw source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: ws2_32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: msasn1.pdb8u source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: nlaapi.pdb+p0 source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: \??\C:\Users\user\AppData\Roaming\Windows Update.PDB source: Windows Update.exe, 00000003.00000002.265730699.00000000006D7000.00000004.00000020.sdmp
                Source: Binary string: iphlpapi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: nsi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: jqt usymbols\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp
                Source: Binary string: wmiutils.pdb_s source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: powrprof.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Configuration.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: ole32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: winnsi.pdb<p source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: security.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: rlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
                Source: Binary string: msasn1.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp, WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: comctl32v582.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: DWrite.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: cfgmgr32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Drawing.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Management.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: combase.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: Windows.Storage.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorrc.pdbJnP source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
                Source: Binary string: secur32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: rasadhlp.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
                Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb/nP source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: dhcpcsvc.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265730699.00000000006D7000.00000004.00000020.sdmp
                Source: Binary string: dwmapi.pdbHt0 source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: pnrpnsp.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: cryptbase.pdbjt source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: NapiNSP.pdb/p source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Runtime.Remoting.pdb"n source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wsspicli.pdbkt source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: pnrpnsp.pdb-p` source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: shcore.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
                Source: Binary string: .pdb* source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: wgdi32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: fltLib.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: shell32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: msvcr80.i386.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: msvcp_win.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: shfolder.pdbit`F source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: dnsapi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: rasapi32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wimm32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wwin32u.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: dnsapi.pdb1p source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: nlaapi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: winhttp.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wUxTheme.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb?p source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorsec.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wmiutils.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: gdiplus.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: rtutils.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: cordacwks.pdbPn source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorwks.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb@ source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: profapi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: dhcpcsvc6.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: Kernel.Appcore.pdbGu source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wgdi32full.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorjit.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: sechost.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscoree.pdbWsP source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: shfolder.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wgdi32full.pdbmt@ source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: rasman.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: fastprox.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wbemsvc.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: winrnr.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: msctf.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp
                Source: Binary string: System.Runtime.Remoting.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wmswsock.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: version.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wintrust.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: rsaenh.pdb]t source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Xml.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscorrc.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wbemcomn.pdbbs source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Windows.Forms.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: Kernel.Appcore.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: psapi.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: WMINet_Utils.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: fwpuclnt.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 0000000F.00000002.303054120.00000000006B4000.00000004.00000020.sdmp
                Source: Binary string: bcrypt.pdb[t source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wbemprox.pdbas source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: System.Management.pdbX source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: cryptbase.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: winrnr.pdb*p source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wuser32.pdb@w source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: mscoreei.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: bcryptprimitives.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: msvcp_win.pdb[w source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: oleaut32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: wuser32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: \??\C:\Windows\mscorlib.pdb{ source: Windows Update.exe, 00000003.00000002.265730699.00000000006D7000.00000004.00000020.sdmp
                Source: Binary string: wbemprox.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
                Source: Binary string: culture.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: crypt32.pdb source: WERF1FE.tmp.mdmp.9.dr
                Source: Binary string: edputil.pdb source: WERF1FE.tmp.mdmp.9.dr

                Data Obfuscation:

                barindex
                Detected unpacking (changes PE section rights)Show sources
                Source: C:\Users\user\Desktop\Prueba de pago.exeUnpacked PE file: 1.2.Prueba de pago.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeUnpacked PE file: 3.2.Windows Update.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeUnpacked PE file: 13.2.WindowsUpdate.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeUnpacked PE file: 15.2.Windows Update.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\Prueba de pago.exeUnpacked PE file: 1.2.Prueba de pago.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeUnpacked PE file: 3.2.Windows Update.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeUnpacked PE file: 13.2.WindowsUpdate.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeUnpacked PE file: 15.2.Windows Update.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Detected unpacking (creates a PE file in dynamic memory)Show sources
                Source: C:\Users\user\Desktop\Prueba de pago.exeUnpacked PE file: 1.2.Prueba de pago.exe.2460000.3.unpack
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeUnpacked PE file: 3.2.Windows Update.exe.2330000.3.unpack
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeUnpacked PE file: 15.2.Windows Update.exe.2300000.3.unpack
                Source: C:\Users\user\Desktop\Prueba de pago.exeUnpacked PE file: 1.2.Prueba de pago.exe.2460000.3.unpack
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeUnpacked PE file: 3.2.Windows Update.exe.2330000.3.unpack
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeUnpacked PE file: 15.2.Windows Update.exe.2300000.3.unpack
                Detected unpacking (overwrites its own PE header)Show sources
                Source: C:\Users\user\Desktop\Prueba de pago.exeUnpacked PE file: 1.2.Prueba de pago.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeUnpacked PE file: 3.2.Windows Update.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeUnpacked PE file: 13.2.WindowsUpdate.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeUnpacked PE file: 15.2.Windows Update.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\Prueba de pago.exeUnpacked PE file: 1.2.Prueba de pago.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeUnpacked PE file: 3.2.Windows Update.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeUnpacked PE file: 13.2.WindowsUpdate.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeUnpacked PE file: 15.2.Windows Update.exe.400000.0.unpack
                .NET source code contains potential unpackerShow sources
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00441B28 push 00441BB5h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040C020 push 0040C098h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00430030 push 0043005Ch; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040C09A push 0040C10Bh; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040C09C push 0040C10Bh; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040C17A push 0040C1A8h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040C17C push 0040C1A8h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00430198 push 004301C4h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004101B0 push 00410211h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00410214 push 00410415h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040C2A4 push eax; retn 0040h
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004583D8 push 00458404h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00410418 push 0041055Ch; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00426524 push 004265F4h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00410530 push 0041055Ch; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0046A5E4 push ecx; mov dword ptr [esp], ecx
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040659E push 004065F1h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004065A0 push 004065F1h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0041C6E4 push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00406770 push 0040679Ch; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00426704 push 00426730h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004667D8 push 00466804h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004627D8 push ecx; mov dword ptr [esp], ecx
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040682C push 00406858h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0046A8F4 push 0046A91Ah; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0046A958 push 0046A984h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0041A978 push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004269BC push 004269E8h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00428A50 push 00428A7Ch; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00444A7C push 00444AA8h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00428A04 push 00428A45h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00441B28 push 00441BB5h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040C020 push 0040C098h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00430030 push 0043005Ch; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040C09A push 0040C10Bh; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040C09C push 0040C10Bh; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040C17A push 0040C1A8h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040C17C push 0040C1A8h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00430198 push 004301C4h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004101B0 push 00410211h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00410214 push 00410415h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040C2A4 push eax; retn 0040h
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004583D8 push 00458404h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00410418 push 0041055Ch; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00426524 push 004265F4h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00410530 push 0041055Ch; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0046A5E4 push ecx; mov dword ptr [esp], ecx
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040659E push 004065F1h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004065A0 push 004065F1h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0041C6E4 push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00406770 push 0040679Ch; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00426704 push 00426730h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004667D8 push 00466804h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004627D8 push ecx; mov dword ptr [esp], ecx
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040682C push 00406858h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0046A8F4 push 0046A91Ah; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0046A958 push 0046A984h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0041A978 push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004269BC push 004269E8h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00428A50 push 00428A7Ch; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00444A7C push 00444AA8h; ret
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00428A04 push 00428A45h; ret
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeFile created: C:\Users\user\AppData\Roaming\Windows Update.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeFile created: C:\Users\user\AppData\Roaming\Windows Update.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Changes the view of files in windows explorer (hidden files and folders)Show sources
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                Deletes itself after installationShow sources
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile deleted: c:\users\user\desktop\prueba de pago.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile deleted: c:\users\user\desktop\prueba de pago.exeJump to behavior
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0043BDB0 IsIconic,GetCapture,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0043BDB0 IsIconic,GetCapture,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_0043BDB0 IsIconic,GetCapture,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Contains functionality to detect sleep reduction / modificationsShow sources
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00430D08
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00430D08
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00430D08
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                Source: C:\Users\user\Desktop\Prueba de pago.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\Prueba de pago.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 300000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 180000
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 300000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\Prueba de pago.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\Prueba de pago.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 300000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 180000
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 300000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00430D08
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00430D08
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00430D08
                Source: C:\Users\user\Desktop\Prueba de pago.exe TID: 4688Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\Prueba de pago.exe TID: 3352Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5468Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 676Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 580Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 1632Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -100000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -99890s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -99547s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -99297s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -99156s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -98953s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -98547s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -98406s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -98297s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -98203s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -98109s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -97953s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -97859s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -97750s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -96750s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -96609s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -96453s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6300Thread sleep time: -180000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6416Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6412Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6580Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6972Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6976Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6984Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -100000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99906s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99797s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99656s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99547s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99453s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99297s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99203s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99094s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98953s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98859s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98750s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98656s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98547s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98406s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98297s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98203s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98094s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -97906s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -97750s >= -30000s
                Source: C:\Users\user\Desktop\Prueba de pago.exe TID: 4688Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\Prueba de pago.exe TID: 3352Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5468Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 676Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 580Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 1632Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -100000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -99890s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -99547s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -99297s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -99156s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -98953s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -98547s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -98406s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -98297s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -98203s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -98109s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -97953s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -97859s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -97750s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -96750s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -96609s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708Thread sleep time: -96453s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6300Thread sleep time: -180000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6416Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6412Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6580Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6972Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6976Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6984Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -100000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99906s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99797s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99656s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99547s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99453s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99297s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99203s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -99094s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98953s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98859s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98750s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98656s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98547s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98406s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98297s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98203s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98094s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -98000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -97906s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004Thread sleep time: -97750s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile opened: PhysicalDrive0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile opened: PhysicalDrive0
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004089B8 FindFirstFileA,GetLastError,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004089B8 FindFirstFileA,GetLastError,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_004089B8 FindFirstFileA,GetLastError,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00421010 GetSystemInfo,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00421010 GetSystemInfo,
                Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oyF
                Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
                Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
                Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oyF
                Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
                Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
                Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugFlags
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess queried: DebugFlags
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugFlags
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugFlags
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess queried: DebugFlags
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugFlags
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0048F412 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0048F4D0 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0048F412 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0048F4D0 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_0048F412 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_0048F4D0 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0048A746 SetUnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0048A746 SetUnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 1_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_0048A746 SetUnhandledExceptionFilter,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 3_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Users\user\Desktop\Prueba de pago.exeMemory protected: page read and write | page guard
                Source: C:\Users\user\Desktop\Prueba de pago.exeMemory protected: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                .NET source code references suspicious native API functionsShow sources
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 2.2.Windows Update.exe.2820000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 3.2.Windows Update.exe.2330000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 3.2.Windows Update.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 1.2.Prueba de pago.exe.2350000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 1.2.Prueba de pago.exe.2460000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 1.2.Prueba de pago.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 2.2.Windows Update.exe.2820000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 3.2.Windows Update.exe.2330000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 3.2.Windows Update.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 3.2.Windows Update.exe.22a0000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Allocates memory in foreign processesShow sources
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Maps a DLL or memory area into another processShow sources
                Source: C:\Users\user\Desktop\Prueba de pago.exeSection loaded: unknown target: C:\Users\user\Desktop\Prueba de pago.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: unknown target: C:\Users\user\AppData\Roaming\Windows Update.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: unknown target: C:\Users\user\AppData\Roaming\WindowsUpdate.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: unknown target: C:\Users\user\AppData\Roaming\Windows Update.exe protection: execute and read and write
                Source: C:\Users\user\Desktop\Prueba de pago.exeSection loaded: unknown target: C:\Users\user\Desktop\Prueba de pago.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: unknown target: C:\Users\user\AppData\Roaming\Windows Update.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: unknown target: C:\Users\user\AppData\Roaming\WindowsUpdate.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: unknown target: C:\Users\user\AppData\Roaming\Windows Update.exe protection: execute and read and write
                Sample uses process hollowing techniqueShow sources
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Writes to foreign memory regionsShow sources
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe'
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2376
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe'
                Source: C:\Users\user\Desktop\Prueba de pago.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2376
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: GetLocaleInfoA,GetACP,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: GetLocaleInfoA,GetACP,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: GetLocaleInfoA,GetACP,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040697A GetSystemTime,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_0040697A GetSystemTime,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00441B28 GetVersion,
                Source: C:\Users\user\Desktop\Prueba de pago.exeCode function: 0_2_00441B28 GetVersion,
                Source: C:\Users\user\Desktop\Prueba de pago.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Users\user\Desktop\Prueba de pago.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: Prueba de pago.exe, 00000000.00000002.214877114.000000000019D000.00000004.00000010.sdmp, Windows Update.exe, 00000002.00000002.235078035.000000000019D000.00000004.00000010.sdmp, WindowsUpdate.exe, 0000000B.00000002.274403996.000000000019D000.00000004.00000010.sdmp, Windows Update.exe, 0000000E.00000002.284532743.000000000019D000.00000004.00000010.sdmpBinary or memory string: avp.exe
                Source: Windows Update.exe, 00000003.00000002.271219701.0000000006C10000.00000004.00000001.sdmpBinary or memory string: r\MsMpeng.exe
                Source: Windows Update.exe, 00000003.00000003.245352760.0000000000743000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: Prueba de pago.exe, 00000000.00000002.214877114.000000000019D000.00000004.00000010.sdmp, Windows Update.exe, 00000002.00000002.235078035.000000000019D000.00000004.00000010.sdmp, WindowsUpdate.exe, 0000000B.00000002.274403996.000000000019D000.00000004.00000010.sdmp, Windows Update.exe, 0000000E.00000002.284532743.000000000019D000.00000004.00000010.sdmpBinary or memory string: avp.exe
                Source: Windows Update.exe, 00000003.00000002.271219701.0000000006C10000.00000004.00000001.sdmpBinary or memory string: r\MsMpeng.exe
                Source: Windows Update.exe, 00000003.00000003.245352760.0000000000743000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                Stealing of Sensitive Information:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.305679255.0000000002E2C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Prueba de pago.exe PID: 5080, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6392, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6456, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5388, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Prueba de pago.exe PID: 2168, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5672, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6476, type: MEMORY
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPED
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE
                Yara detected MailPassViewShow sources
                Source: Yara matchFile source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.305848989.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.269629299.00000000039E1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.252405021.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Prueba de pago.exe PID: 5080, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6120, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6392, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6456, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5388, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Prueba de pago.exe PID: 2168, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5672, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6476, type: MEMORY
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Tries to steal Instant Messenger accounts or passwordsShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Yara detected WebBrowserPassView password recovery toolShow sources
                Source: Yara matchFile source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.305848989.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.269629299.00000000039E1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Prueba de pago.exe PID: 5080, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6392, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 3484, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6456, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5388, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Prueba de pago.exe PID: 2168, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5672, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6476, type: MEMORY
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE

                Remote Access Functionality:

                barindex
                Detected HawkEye RatShow sources
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: Prueba de pago.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                Source: Prueba de pago.exeString found in binary or memory: HawkEyeKeylogger
                Source: Prueba de pago.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                Source: Prueba de pago.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: Windows Update.exeString found in binary or memory: HawkEyeKeylogger
                Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmpString found in binary or memory: ar'&HawkEye_Keylogger_Execution_Confirmed_
                Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmpString found in binary or memory: ar#"HawkEye_Keylogger_Stealer_Records_
                Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: WindowsUpdate.exe, 0000000D.00000002.290668635.0000000002A11000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: Windows Update.exe, 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: ar'&HawkEye_Keylogger_Execution_Confirmed_
                Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger|9ar
                Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger|9ar@~WA]sOS}SOZYQQSD666666666666666666666666666666666666666666666666|9ar@
                Source: WERF1FE.tmp.mdmp.9.drString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: WERF1FE.tmp.mdmp.9.drString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: WERF1FE.tmp.mdmp.9.drString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: WERF1FE.tmp.mdmp.9.drString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: Prueba de pago.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                Source: Prueba de pago.exeString found in binary or memory: HawkEyeKeylogger
                Source: Prueba de pago.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                Source: Prueba de pago.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: Windows Update.exeString found in binary or memory: HawkEyeKeylogger
                Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmpString found in binary or memory: ar'&HawkEye_Keylogger_Execution_Confirmed_
                Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmpString found in binary or memory: ar#"HawkEye_Keylogger_Stealer_Records_
                Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: WindowsUpdate.exe, 0000000D.00000002.290668635.0000000002A11000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: Windows Update.exe, 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: ar'&HawkEye_Keylogger_Execution_Confirmed_
                Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger|9ar
                Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger|9ar@~WA]sOS}SOZYQQSD666666666666666666666666666666666666666666666666|9ar@
                Source: WERF1FE.tmp.mdmp.9.drString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: WERF1FE.tmp.mdmp.9.drString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: WERF1FE.tmp.mdmp.9.drString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: WERF1FE.tmp.mdmp.9.drString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.305679255.0000000002E2C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Prueba de pago.exe PID: 5080, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6392, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6456, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5388, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Prueba de pago.exe PID: 2168, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5672, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 6476, type: MEMORY
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPED
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Replication Through Removable Media1Windows Management Instrumentation21DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsNative API11Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information11Input Capture221Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsShared Modules1Registry Run Keys / Startup Folder1Process Injection511Obfuscated Files or Information21Credentials in Registry1File and Directory Discovery2SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Software Packing41Credentials In Files1System Information Discovery39Distributed Component Object ModelInput Capture221Scheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSecurity Software Discovery291SSHClipboard Data3Data Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsVirtualization/Sandbox Evasion6VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol13Jamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobModify Registry1Proc FilesystemApplication Window Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion6/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection511Network SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 319596 Sample: Prueba de pago.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for dropped file 2->67 69 14 other signatures 2->69 9 Prueba de pago.exe 2->9         started        12 WindowsUpdate.exe 2->12         started        process3 signatures4 73 Maps a DLL or memory area into another process 9->73 14 Prueba de pago.exe 9 9->14         started        75 Multi AV Scanner detection for dropped file 12->75 77 Detected unpacking (changes PE section rights) 12->77 79 Detected unpacking (overwrites its own PE header) 12->79 81 Machine Learning detection for dropped file 12->81 17 WindowsUpdate.exe 12->17         started        process5 file6 49 C:\Users\user\...\Prueba de pago.exe.log, ASCII 14->49 dropped 19 Windows Update.exe 14->19         started        51 C:\Users\user\AppData\...\Windows Update.exe, PE32 17->51 dropped 53 C:\...\Windows Update.exe:Zone.Identifier, ASCII 17->53 dropped 22 Windows Update.exe 17->22         started        process7 signatures8 71 Maps a DLL or memory area into another process 19->71 24 Windows Update.exe 16 8 19->24         started        29 Windows Update.exe 22->29         started        process9 dnsIp10 55 49.124.12.0.in-addr.arpa 24->55 57 smtp.jif-asesores.com 217.76.146.62, 49728, 49741, 587 ONEANDONE-ASBrauerstrasse48DE Spain 24->57 61 2 other IPs or domains 24->61 45 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 24->45 dropped 47 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 24->47 dropped 83 Changes the view of files in windows explorer (hidden files and folders) 24->83 85 Deletes itself after installation 24->85 87 Writes to foreign memory regions 24->87 91 3 other signatures 24->91 31 vbc.exe 1 24->31         started        34 vbc.exe 13 24->34         started        36 WerFault.exe 9 24->36         started        39 dw20.exe 22 6 24->39         started        59 49.124.12.0.in-addr.arpa 29->59 89 Installs a global keyboard hook 29->89 41 dw20.exe 29->41         started        file11 signatures12 process13 file14 93 Tries to steal Instant Messenger accounts or passwords 31->93 95 Tries to steal Mail credentials (via file access) 31->95 97 Tries to harvest and steal browser information (history, passwords, etc) 34->97 43 C:\ProgramData\Microsoft\...\WERF1FE.tmp.mdmp, Mini 36->43 dropped signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Prueba de pago.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Windows Update.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Windows Update.exe44%ReversingLabsWin32.Trojan.Wacatac
                C:\Users\user\AppData\Roaming\WindowsUpdate.exe44%ReversingLabsWin32.Trojan.Wacatac

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                11.2.WindowsUpdate.exe.2740000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                11.2.WindowsUpdate.exe.2740000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                2.2.Windows Update.exe.27d0000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                3.1.Windows Update.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                1.2.Prueba de pago.exe.2350000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                1.2.Prueba de pago.exe.2350000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                0.2.Prueba de pago.exe.26e0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                0.2.Prueba de pago.exe.26e0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                13.2.WindowsUpdate.exe.6b0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                14.2.Windows Update.exe.2700000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                14.2.Windows Update.exe.2700000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                2.2.Windows Update.exe.2820000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                2.2.Windows Update.exe.2820000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                1.2.Prueba de pago.exe.2460000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                1.2.Prueba de pago.exe.2460000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                15.2.Windows Update.exe.2300000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                15.2.Windows Update.exe.2300000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                3.2.Windows Update.exe.2330000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                3.2.Windows Update.exe.2330000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                3.2.Windows Update.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                3.2.Windows Update.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                0.2.Prueba de pago.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                14.2.Windows Update.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                15.2.Windows Update.exe.960000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                15.2.Windows Update.exe.960000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                13.1.WindowsUpdate.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                13.2.WindowsUpdate.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                13.2.WindowsUpdate.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                3.2.Windows Update.exe.22a0000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                3.2.Windows Update.exe.22a0000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                0.2.Prueba de pago.exe.2690000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                11.2.WindowsUpdate.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                6.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                1.1.Prueba de pago.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                11.2.WindowsUpdate.exe.26f0000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                2.2.Windows Update.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                13.2.WindowsUpdate.exe.2200000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                13.2.WindowsUpdate.exe.2200000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                15.2.Windows Update.exe.8d0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                1.2.Prueba de pago.exe.22c0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                3.2.Windows Update.exe.2210000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                13.2.WindowsUpdate.exe.22b0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                13.2.WindowsUpdate.exe.22b0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                15.1.Windows Update.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                15.1.Windows Update.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                15.2.Windows Update.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                15.2.Windows Update.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                1.2.Prueba de pago.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                1.2.Prueba de pago.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                14.2.Windows Update.exe.2310000.2.unpack100%AviraTR/Crypt.ULPM.GenDownload File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.monotype.fyB0%Avira URL Cloudsafe
                http://www.carterandcone.comre0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.carterandcone.comes0%Avira URL Cloudsafe
                http://www.founder.com.cn/cnT0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.fontbureau.comueno0%Avira URL Cloudsafe
                http://whatismyipaddress.comx&0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cnv0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://whatismyipaddress.comx&0%Avira URL Cloudsafe
                http://go.microsoft.0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/staff/dennis.htmQt0%Avira URL Cloudsafe
                http://go.microsoft.LinkId=421270%Avira URL Cloudsafe
                http://www.carterandcone.comg0%Avira URL Cloudsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.zhongyicts.com.cnb0%Avira URL Cloudsafe
                http://www.monotype.0%URL Reputationsafe
                http://www.monotype.0%URL Reputationsafe
                http://www.monotype.0%URL Reputationsafe
                http://www.fontbureau.comt0%URL Reputationsafe
                http://www.fontbureau.comt0%URL Reputationsafe
                http://www.fontbureau.comt0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.carterandcone.comues0%Avira URL Cloudsafe
                http://www.fontbureau.comB.TTF_g0%Avira URL Cloudsafe
                http://www.carterandcone.comsio0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn$0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                whatismyipaddress.com
                		104.16.155.36
                		truefalse
                  		high
                  smtp.jif-asesores.com
                  		217.76.146.62
                  		truefalse
                    		unknown
                    49.124.12.0.in-addr.arpa
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://whatismyipaddress.com/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.fontbureau.com/designersGPrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                          		high
                          http://www.monotype.fyBPrueba de pago.exe, 00000001.00000003.227980976.0000000000B1B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.carterandcone.comrePrueba de pago.exe, 00000001.00000003.219169725.0000000005173000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/?Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bThePrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comesPrueba de pago.exe, 00000001.00000003.219204649.0000000005173000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers?Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Prueba de pago.exe, 00000001.00000003.222925322.0000000005171000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnTPrueba de pago.exe, 00000001.00000003.218253485.0000000005172000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersXPrueba de pago.exe, 00000001.00000003.222383609.0000000005172000.00000004.00000001.sdmpfalse
                                		high
                                http://www.tiro.comWindows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersWindows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krPrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comPrueba de pago.exe, 00000001.00000003.219120953.0000000005173000.00000004.00000001.sdmp, Prueba de pago.exe, 00000001.00000003.219169725.0000000005173000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comuenoPrueba de pago.exe, 00000001.00000002.232193805.0000000000B10000.00000004.00000040.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://whatismyipaddress.comx&Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.sajatypeworks.comPrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDPrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cThePrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmPrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comPrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnvPrueba de pago.exe, 00000001.00000003.218163414.000000000515A000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designersdPrueba de pago.exe, 00000001.00000003.222111568.0000000005172000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designerscPrueba de pago.exe, 00000001.00000003.222480530.0000000005172000.00000004.00000001.sdmpfalse
                                      		high
                                      http://whatismyipaddress.com/-Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, WERF1FE.tmp.mdmp.9.drfalse
                                        		high
                                        http://www.galapagosdesign.com/DPleasePrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.ascendercorp.com/typedesigners.htmlPrueba de pago.exe, 00000001.00000003.220190167.0000000005171000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://login.yahoo.com/config/loginPrueba de pago.exe, Windows Update.exefalse
                                          		high
                                          http://www.fonts.comPrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krPrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.site.com/logs.phpWindows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.urwpp.deDPleasePrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.nirsoft.net/Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmpfalse
                                                		high
                                                http://www.zhongyicts.com.cnPrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designerspPrueba de pago.exe, 00000001.00000003.222071225.0000000005172000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.sakkal.comPrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designerstPrueba de pago.exe, 00000001.00000003.222925322.0000000005171000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://whatismyipaddress.com/Windows Update.exe, 0000000F.00000002.305535580.0000000002DF8000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.apache.org/licenses/LICENSE-2.0Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comPrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                                          		high
                                                          https://whatismyipaddress.comWindows Update.exe, 0000000F.00000002.305553059.0000000002E01000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://whatismyipaddress.comx&Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, Windows Update.exe, 0000000F.00000002.305535580.0000000002DF8000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		low
                                                            http://go.microsoft.Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://whatismyipaddress.comWindows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.galapagosdesign.com/staff/dennis.htmQtPrueba de pago.exe, 00000001.00000003.224253184.0000000000B1B000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://go.microsoft.LinkId=42127Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              http://www.carterandcone.comgPrueba de pago.exe, 00000001.00000003.219204649.0000000005173000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.carterandcone.comlPrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers)Prueba de pago.exe, 00000001.00000003.227606996.0000000005172000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.com/designers/cabarga.htmlNPrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cnPrueba de pago.exe, 00000001.00000003.218163414.000000000515A000.00000004.00000001.sdmp, Prueba de pago.exe, 00000001.00000003.218282268.0000000005172000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/frere-jones.htmlPrueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.zhongyicts.com.cnbPrueba de pago.exe, 00000001.00000003.218985995.0000000005156000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.monotype.Prueba de pago.exe, 00000001.00000003.221758265.0000000005176000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.comtPrueba de pago.exe, 00000001.00000002.232193805.0000000000B10000.00000004.00000040.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.jiyu-kobo.co.jp/Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers8Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.carterandcone.comuesPrueba de pago.exe, 00000001.00000003.219120953.0000000005173000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.fontbureau.comB.TTF_gPrueba de pago.exe, 00000001.00000002.232193805.0000000000B10000.00000004.00000040.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		low
                                                                      http://www.carterandcone.comsioPrueba de pago.exe, 00000001.00000003.219204649.0000000005173000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.founder.com.cn/cn$Prueba de pago.exe, 00000001.00000003.218253485.0000000005172000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      104.16.155.36
                                                                      		unknownUnited States
                                                                      		13335CLOUDFLARENETUSfalse
                                                                      217.76.146.62
                                                                      		unknownSpain
                                                                      		8560ONEANDONE-ASBrauerstrasse48DEfalse

                                                                      Private

                                                                      IP
                                                                      192.168.2.1

                                                                      General Information

                                                                      Joe Sandbox Version:31.0.0 Red Diamond
                                                                      Analysis ID:319596
                                                                      Start date:18.11.2020
                                                                      Start time:13:22:12
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 13m 35s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:Prueba de pago.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:33
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.phis.troj.spyw.evad.winEXE@23/25@8/3
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 56.4% (good quality ratio 55.3%)
                                                                      • Quality average: 84.2%
                                                                      • Quality standard deviation: 23.3%
                                                                      HCA Information:
                                                                      • Successful, ratio: 80%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                      • Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.42.151.234, 104.43.193.48, 52.255.188.83, 23.210.248.85, 51.11.168.160, 20.54.26.129, 92.122.213.247, 92.122.213.194, 51.104.144.132
                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net
                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/319596/sample/Prueba de pago.exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      13:23:18API Interceptor47x Sleep call for process: Windows Update.exe modified
                                                                      13:23:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                      13:23:23API Interceptor2x Sleep call for process: dw20.exe modified
                                                                      13:23:29API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                      13:23:30AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      104.16.155.36mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      jSMd8npgmU.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      9vdouqRTh3.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      fyxC4Hgs3s.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      yk94P18VKp.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      oLHQIQAI3N.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      WuGzF7ZJ7P.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      NXmokFkh3R.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      qiGQsdRM57.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      NSSPH41vE5.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      2v7Vtqfo81.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      355OckuTD3.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      i7osF3yJYR.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      D71G6Z9M0O.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      x2rzwu7CQ3.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      LgADCmJ6oQ.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      xV32Do628N.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      whatismyipaddress.com879mgDuqEE.jarGet hashmaliciousBrowse
                                                                      • 66.171.248.178
                                                                      remittance1111.jarGet hashmaliciousBrowse
                                                                      • 66.171.248.178
                                                                      879mgDuqEE.jarGet hashmaliciousBrowse
                                                                      • 66.171.248.178
                                                                      remittance1111.jarGet hashmaliciousBrowse
                                                                      • 66.171.248.178
                                                                      https://my-alliances.co.uk/Get hashmaliciousBrowse
                                                                      • 66.171.248.178
                                                                      c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      jSMd8npgmU.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      khJdbt0clZ.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      ZMOKwXqVHO.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      5Av43Q5IXd.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      8oaZfXDstn.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      9vdouqRTh3.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      M9RhKQ1G91.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      0CyK3Y7XBs.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      pwYhlZGMa6.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      fyxC4Hgs3s.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      ONEANDONE-ASBrauerstrasse48DEbaf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                      • 217.160.0.224
                                                                      Narud#U017eba 0521360021.xlsxGet hashmaliciousBrowse
                                                                      • 74.208.22.240
                                                                      Quote Request.xlsxGet hashmaliciousBrowse
                                                                      • 82.165.48.223
                                                                      anthony.exeGet hashmaliciousBrowse
                                                                      • 217.160.0.199
                                                                      8miw6WNHCt.exeGet hashmaliciousBrowse
                                                                      • 74.208.5.21
                                                                      WO4jeXWl0L.exeGet hashmaliciousBrowse
                                                                      • 74.208.45.104
                                                                      5YCsNuM4a9.exeGet hashmaliciousBrowse
                                                                      • 74.208.45.104
                                                                      eLaaw7SqMi.exeGet hashmaliciousBrowse
                                                                      • 74.208.5.22
                                                                      vi9qEkXlGm.exeGet hashmaliciousBrowse
                                                                      • 217.76.150.19
                                                                      p8LV1eVFyO.exeGet hashmaliciousBrowse
                                                                      • 217.160.0.224
                                                                      BUd4ZanDeR.exeGet hashmaliciousBrowse
                                                                      • 198.251.77.47
                                                                      0Ia3EzPqrx.exeGet hashmaliciousBrowse
                                                                      • 74.208.236.235
                                                                      mvl9cPORxx.exeGet hashmaliciousBrowse
                                                                      • 74.208.5.15
                                                                      ultimate-mailer (x64).exeGet hashmaliciousBrowse
                                                                      • 82.165.116.162
                                                                      invoice No_SINI0068206497.exeGet hashmaliciousBrowse
                                                                      • 217.160.233.109
                                                                      COMMERCIAL INVOICE BILL OF LADING DOC.exeGet hashmaliciousBrowse
                                                                      • 77.68.64.21
                                                                      https://moeglobal-my.sharepoint.com/:o:/g/personal/bel_moe-as_no/EhOor6oBqeFEgp-vQYeIFUEB1ye9Et93JElzx8s1IHLnTA?e=3OSEPaGet hashmaliciousBrowse
                                                                      • 77.68.64.10
                                                                      IQtvZjIdhN.exeGet hashmaliciousBrowse
                                                                      • 217.160.0.224
                                                                      f14QUITHh3.exeGet hashmaliciousBrowse
                                                                      • 74.208.236.51
                                                                      Invoice.exeGet hashmaliciousBrowse
                                                                      • 82.223.120.84
                                                                      CLOUDFLARENETUSa66a5257bb6ee2e690450c48a91815d4.exeGet hashmaliciousBrowse
                                                                      • 104.23.99.190
                                                                      D6vy84I7rJ.exeGet hashmaliciousBrowse
                                                                      • 162.159.133.233
                                                                      u82lb18JnW.exeGet hashmaliciousBrowse
                                                                      • 104.31.92.240
                                                                      https://agrabadconventionhall.com/redirect-outlook.com/server%20configuration/?#info@herbertarchitekten.deGet hashmaliciousBrowse
                                                                      • 104.16.18.94
                                                                      https://agrabadconventionhall.com/redirect-outlook.com/server configuration/Get hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                      • 172.67.214.161
                                                                      http://cricketventures.comGet hashmaliciousBrowse
                                                                      • 104.26.13.251
                                                                      https://www.chm-endurance.com/Get hashmaliciousBrowse
                                                                      • 104.22.24.131
                                                                      https://bitly.com/35yFnnsGet hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      https://email.ofificeshareserver1.ml/e/c/eyJlbWFpbF9pZCI6IlJPS0xCZ01BQVhYVjZXVUFLRTFaMUpQWmZrTU1mUT09IiwiaHJlZiI6Imh0dHBzOi8vZmlyZWJhc2VzdG9yYWdlLmdvb2dsZWFwaXMuY29tL3YwL2Ivc2l0ZXMtMDAuYXBwc3BvdC5jb20vby9zaGFyZS1wb2ludCUyRnJlZGlyZWN0Lmh0bWw_YWx0PW1lZGlhXHUwMDI2dG9rZW49ZWM5NWIwZjItNTE4Ny00YzA3LWExNGUtMDA2OWE0ZWI0ODcxXHUwMDI2ZW1haWw9bWFya3VzLm5pZXRoQGp1bGl1c2JhZXIuY29tIiwibGlua19pZCI6MSwicG9zaXRpb24iOjB9/1b8972b4385f4f0bcb49ca81c6f33c388775dae940b9f44c90bdf57423203612Get hashmaliciousBrowse
                                                                      • 104.31.71.251
                                                                      https://j.mp/38NwiZZGet hashmaliciousBrowse
                                                                      • 104.27.187.65
                                                                      https://app.nihaocloud.com/f/06096e5837654796a4d4/Get hashmaliciousBrowse
                                                                      • 104.16.18.94
                                                                      Status____201711.gz.exeGet hashmaliciousBrowse
                                                                      • 104.23.98.190
                                                                      ORDER SPECIFITIONS.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      Documento relativo al carico e alla spedizione del cliente_italy2020.exeGet hashmaliciousBrowse
                                                                      • 104.24.127.89
                                                                      b095b966805abb7df4ffddf183def880.exeGet hashmaliciousBrowse
                                                                      • 104.18.48.20
                                                                      SIN029088.xlsGet hashmaliciousBrowse
                                                                      • 104.20.139.65
                                                                      SIN029088.xlsGet hashmaliciousBrowse
                                                                      • 104.20.138.65
                                                                      Request for Quote_PDF.vbsGet hashmaliciousBrowse
                                                                      • 104.24.127.89
                                                                      01_file.exeGet hashmaliciousBrowse
                                                                      • 104.24.127.89

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Windows Update.e_1044ba73b302b1a19e09d2f83986d3c5672f_ffa3413f_105a0017\Report.wer
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):19508
                                                                      Entropy (8bit):3.763354078456508
                                                                      Encrypted:false
                                                                      SSDEEP:192:cORZHBUZMXwjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xTo/u7sDS274ItCy2:RRJBUZMXwjB7vqsSc/u7sDX4ItCy2
                                                                      MD5:7089279C19BDD4172CB67C5E78F95572
                                                                      SHA1:4739BDF6E94A6F64C4D118B6AA4D78763E219099
                                                                      SHA-256:CBE474CAC4EE630CECAEEB351D97FD9934962F317033A676313246C1EA52DA1C
                                                                      SHA-512:A3C977D37F1277390C7619ABB036AB6FCF198E64DE5E9D4C3C10EEB7AC80A1A88A3E9262D4BD714B9668D3B43F1B061FC482FDB54EB7D170D8B8E3B4F2EE4421
                                                                      Malicious:false
                                                                      Yara Hits:
                                                                      • Rule: SUSP_WER_Suspicious_Crash_Directory, Description: Detects a crashed application executed in a suspicious directory, Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Windows Update.e_1044ba73b302b1a19e09d2f83986d3c5672f_ffa3413f_105a0017\Report.wer, Author: Florian Roth
                                                                      Reputation:low
                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.2.0.8.2.0.5.9.3.8.6.4.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.2.0.8.2.0.8.5.9.4.8.8.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.d.a.8.5.f.b.-.e.e.3.f.-.4.0.9.8.-.a.c.9.2.-.3.f.1.d.1.1.9.5.a.8.c.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.a.9.2.f.3.2.-.2.e.7.3.-.4.2.7.5.-.8.2.f.c.-.7.b.3.b.f.3.9.5.9.1.4.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.0.c.-.0.0.0.1.-.0.0.1.7.-.7.b.1.c.-.3.0.0.6.f.1.b.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.1.f.4.7.9.8.5.d.3.d.4.4.a.1.6.f.b.7.6.b.2.7.3.a.7.6.a.9.7.f.d.0.0.0.0.f.f.f.f.!.0.0.0.0.b.1.6.0.3.2.d.8.3.c.9.1.e.e.3.3.3.2.2.1.f.a.f.a.d.d.5.f.2.3.8.1.c.a.6.5.9.d.7.8.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.
                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_windows update.e_52f24b01f2038132be328c41fc3923fb83453f_00000000_08e5e905\Report.wer
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):18680
                                                                      Entropy (8bit):3.753140752327928
                                                                      Encrypted:false
                                                                      SSDEEP:192:WIGbQSVhjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xTo/u7sDS274Itf:kbQcjB7vqsSc/u7sDX4Itf
                                                                      MD5:4E0405D431FE06C8DB569BB0B90164F7
                                                                      SHA1:78A7B21330C5BE49E728871AC8F587736E4FAAF5
                                                                      SHA-256:E665909C5DE9CE3B7620FC122A03B76ECE881D6535CDD2C0178135D2E85F31B8
                                                                      SHA-512:D542787FE647427B7C9E5581875DB233DEEA077A778191A53A41263745A7C201F074208A86409AE2870C176F0323C90B0B303A4898FC9D9E368587FEF54EDAEA
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.2.0.8.2.0.0.4.8.5.5.3.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.2.0.8.2.0.0.8.9.1.7.8.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.5.4.2.e.6.a.-.4.3.8.2.-.4.9.a.f.-.8.9.f.e.-.4.6.4.2.8.1.0.e.c.d.2.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.0.c.-.0.0.0.1.-.0.0.1.7.-.7.b.1.c.-.3.0.0.6.f.1.b.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.1.f.4.7.9.8.5.d.3.d.4.4.a.1.6.f.b.7.6.b.2.7.3.a.7.6.a.9.7.f.d.0.0.0.0.f.f.f.f.!.0.0.0.0.b.1.6.0.3.2.d.8.3.c.9.1.e.e.3.3.3.2.2.1.f.a.f.a.d.d.5.f.2.3.8.1.c.a.6.5.9.d.7.8.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.7.:.1.5.:.0.8.:.3.4.!.0.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.4.4.....I.s.
                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_windows update.e_52f24b01f2038132be328c41fc3923fb83453f_00000000_1b3a43a8\Report.wer
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):18580
                                                                      Entropy (8bit):3.7538345857997233
                                                                      Encrypted:false
                                                                      SSDEEP:192:OZhQSVhjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sDS274It8:2hQcjB7vqsSt/u7sDX4It8
                                                                      MD5:8960DF80823EED9590D3BCABCB4A3195
                                                                      SHA1:A3F465982AD46B1152E53F64742B9FAB9A1CB5D1
                                                                      SHA-256:2D7DEE9873BF1820F0BF4C27776F22D1D60A5DDD5C192ABEC180966B5C02D4A0
                                                                      SHA-512:C864E952F30A5CFC0466AEF174CCB475ABDF7C8AEAC68FC46DC183969F6CEE96FB4EB35311EFB4865D2DCE772CEF0513F70CEAC9E917E0E0E31BE71747FE3BA6
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.2.0.8.2.2.5.2.5.1.1.0.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.2.0.8.2.2.5.7.5.1.0.9.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.8.4.3.3.7.1.-.6.5.2.f.-.4.5.c.7.-.8.b.2.a.-.a.9.5.6.6.8.f.5.7.7.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.c.-.0.0.0.1.-.0.0.1.7.-.e.4.5.2.-.e.4.1.3.f.1.b.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.1.f.4.7.9.8.5.d.3.d.4.4.a.1.6.f.b.7.6.b.2.7.3.a.7.6.a.9.7.f.d.0.0.0.0.f.f.f.f.!.0.0.0.0.b.1.6.0.3.2.d.8.3.c.9.1.e.e.3.3.3.2.2.1.f.a.f.a.d.d.5.f.2.3.8.1.c.a.6.5.9.d.7.8.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.7.:.1.5.:.0.8.:.3.4.!.0.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.5.7.....I.s.
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D9D.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):5670
                                                                      Entropy (8bit):3.724856193004803
                                                                      Encrypted:false
                                                                      SSDEEP:96:RtIU6o7r3GLt3iEM6UYDYZYQSfZPgTBCaM1Yy1f1tvIm:Rrl7r3GLNiEM6rDYZYQSGCp1Yy1ffIm
                                                                      MD5:95F2EBE72FF214D8A8D68A6C166F4DAE
                                                                      SHA1:B703C9D6AD7D59A8E86B39D8AAC6457120A97B86
                                                                      SHA-256:83AD25F02D92AC80308577ADB0F8E8BE8BBF541CA19CFEAB3CC8B9D281DE5379
                                                                      SHA-512:9E87A59ACA83197ACC879DE98631AB9822E35ED8BBFCA24F46A05C9E6D1A127110ABE89F1BE7FBFEDAE26527D9AA1391455D32C0F84EFCB49B07EDDBB89533BE
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.7.6.<./.P.i.d.>.......
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3ED7.tmp.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4637
                                                                      Entropy (8bit):4.4527618910908435
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zskJgtWI9i0WSC8BYs8fm8M4JFK82FDQo+q8v//Rvxz4d:uITfihtSNmJFKgoKnRvx4d
                                                                      MD5:D97648D73509017640C5A04CF118184F
                                                                      SHA1:74D8E8320B6C57A385FB7EF5E1CCDDDA82EEB507
                                                                      SHA-256:CD80E6682578C2208BFD215D77294F492F50C0129B729500ACFBF06AD6D9AE72
                                                                      SHA-512:AD1E1C3EB7FC757AD4AADCCC19F0CA9CC27CD7869975603A6F80A00E81D3142506D56AA093514E5461321AA3A0E3D016557C25836D1ED621FEBD5AFD5DB2412A
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734794" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD1E.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):5670
                                                                      Entropy (8bit):3.719208298799123
                                                                      Encrypted:false
                                                                      SSDEEP:96:RtIU6o7r3GLt3iQWv6X6BYZYQSfZPgTBCaM1jV1fULBm:Rrl7r3GLNiJv6XiYZYQSGCp1jV1fULBm
                                                                      MD5:6F0E93FC5FE862BFE982417D289E9B73
                                                                      SHA1:D8DFAAB85670FACC7F829D327EDEFB49EEE794F9
                                                                      SHA-256:77A1A290B7BA47BBBA7A66E02FD4026529C19DB6778AA36067DD183D73419755
                                                                      SHA-512:C6F405DDA4D5FC0BF12B629B7A7EBBB330A1FB38CEEDF6CB9206BCC7FD4D452C1A0F9AF4C9E4285E48ED12F1D9E91C6153540A39792923F94D44C0084201BC20
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.8.8.<./.P.i.d.>.......
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDAC.tmp.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4637
                                                                      Entropy (8bit):4.450226258139721
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zsRJgtWI9i0WSC8Bt8fm8M4JFK82FMV+q8v/mRvxzEd:uITfjhtSNYJFKIVK+RvxEd
                                                                      MD5:1B03DBE1E2C6F64693C0273C6A3B3A0F
                                                                      SHA1:1884CAD7A8024B1FEA071C6D99A3405B888CD11E
                                                                      SHA-256:29A1DEE2ECE333022FCDA0FE759627375D5A02C132717F1CC3B3CBE14521924A
                                                                      SHA-512:1F65D3F911915B633C1354D95C5EA306220AF642B7A1860B4ABF536F9542B6147292147DD1F871DEB4150365BF11F32244D81C92CF47E2E0266360D1BC9A34AF
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734793" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Mini DuMP crash report, 14 streams, Wed Nov 18 21:23:27 2020, 0x60521 type
                                                                      Category:dropped
                                                                      Size (bytes):7040228
                                                                      Entropy (8bit):4.723675783236964
                                                                      Encrypted:false
                                                                      SSDEEP:98304:fsqKSRLDPyq9H2bUhr1b1XaE1nU8es2OfBNeQCPoeOVVSTLtTOp:ySR3yq9HcyrL0cCFOV5
                                                                      MD5:0FAD6C03DEA3E1B26C0FBF17C4B8C8AB
                                                                      SHA1:8130F67C5788401570AE8BA8422940DA7910720B
                                                                      SHA-256:7DA5A6E911D169B2B9BA032ED4AB04DC39E53AC17FE49A0FB52AA0BC28AE6984
                                                                      SHA-512:77CB0FCDB10012F46467A6BFC5DB7EA0737D35F6A5A7B82B7CE98CC81347BFF708745DB2F1EC274A3304BA88DD1E3369B1F03FABB203DD334043BE3641E36515
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low
                                                                      Preview: MDMP....... ........._!..................U...........B.......9......GenuineIntelW...........T............._.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB36.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):6350
                                                                      Entropy (8bit):3.7261065119655044
                                                                      Encrypted:false
                                                                      SSDEEP:192:Rrl7r3GLNiJU6yIwGYNSxCprq89brtsfCZm:RrlsNia6yIBYNS6rmfV
                                                                      MD5:78524C46881C75372A6F8E614683C79F
                                                                      SHA1:370969709A50D46B57CF6613B8BB8AF395377971
                                                                      SHA-256:EE8A23BA4E379CF7A824D02E64C3D7DACC8FD238DD1B072E3457C8D6CE5F14F8
                                                                      SHA-512:FF3F0ABF543461DC416CA12BC7E096F014ABF5C2B926D86D60F5A08386B97B41985DEA5EF5C95957E6019437F92359177246AC214F7C0DB5314AFA6F064C8237
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.8.8.<./.P.i.d.>.......
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBC4.tmp.xml
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4622
                                                                      Entropy (8bit):4.49341035571301
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zskJgtWI9i0WSC8Bb8fm8M4JwEZFH+q8/UNRvxzXd:uITfihtSNeJJLDNRvxXd
                                                                      MD5:75CFD237E67202906AEAA3C9721A7B9F
                                                                      SHA1:B89B0224A00DBC6704B2F9B0A022771376BAFBD0
                                                                      SHA-256:34AF33BC20E92B2AA31B49596018CCA936AFDE743C660CD38CB3D10A904DEDE6
                                                                      SHA-512:0A7B6193EF10AC287A028A420F1AF5AD8E66E0C3146B406CF87C48B1622FFA918F6063E6E26DFEF43F0AF547EA60BF7F976467E9ED898402EAF1D58FBEEB268A
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734794" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Prueba de pago.exe.log
                                                                      Process:C:\Users\user\Desktop\Prueba de pago.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:modified
                                                                      Size (bytes):916
                                                                      Entropy (8bit):5.282390836641403
                                                                      Encrypted:false
                                                                      SSDEEP:24:MLF20NaL3z2p29hJ5g522rW2xAi3AP26K95rKoO2+g2+:MwLLD2Y9h3go2rxxAcAO6ox+g2+
                                                                      MD5:5AD8E7ABEADADAC4CE06FF693476581A
                                                                      SHA1:81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E
                                                                      SHA-256:BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
                                                                      SHA-512:7793E78E84AD36CE65B5B1C015364E340FB9110FAF199BC0234108CE9BCB1AEDACBD25C6A012AC99740E08BEA5E5C373A88E553E47016304D8AE6AEEAB58EBFF
                                                                      Malicious:true
                                                                      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..
                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsUpdate.exe.log
                                                                      Process:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:modified
                                                                      Size (bytes):916
                                                                      Entropy (8bit):5.282390836641403
                                                                      Encrypted:false
                                                                      SSDEEP:24:MLF20NaL3z2p29hJ5g522rW2xAi3AP26K95rKoO2+g2+:MwLLD2Y9h3go2rxxAcAO6ox+g2+
                                                                      MD5:5AD8E7ABEADADAC4CE06FF693476581A
                                                                      SHA1:81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E
                                                                      SHA-256:BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
                                                                      SHA-512:7793E78E84AD36CE65B5B1C015364E340FB9110FAF199BC0234108CE9BCB1AEDACBD25C6A012AC99740E08BEA5E5C373A88E553E47016304D8AE6AEEAB58EBFF
                                                                      Malicious:false
                                                                      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..
                                                                      C:\Users\user\AppData\Local\Temp\SysInfo.txt
                                                                      Process:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):48
                                                                      Entropy (8bit):4.387380345401073
                                                                      Encrypted:false
                                                                      SSDEEP:3:oNWXp5cViEaKC59KuCa:oNWXp+NaZ5v
                                                                      MD5:95FC50C7E40BB0D5EBD49FCBEE4E890D
                                                                      SHA1:E5086A9390CC8D6F512A206AB1AC4309A4CC4326
                                                                      SHA-256:DC88107DF527833D0D8B7AC45D31AF0E5343AE36AB9725016B046CDD77E46EC7
                                                                      SHA-512:4AC9E01163C00CC874BDBE1E4B5BF2463F8B53B9102705C774C790D8DFD8AEAD662DEDA812CF457022820FFD8174A1CD0275601C4BC6E4CCDB7E5A80CD52F799
                                                                      Malicious:false
                                                                      Preview: C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                      C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):2
                                                                      Entropy (8bit):1.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:Qn:Qn
                                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                      Malicious:false
                                                                      Preview: ..
                                                                      C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                      Process:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):1129472
                                                                      Entropy (8bit):6.927370959170246
                                                                      Encrypted:false
                                                                      SSDEEP:24576:9JCKxWfPNFwyIUlawycDT0+Yrdypzvq3/7j:ZI4s0wbDgt5QW/
                                                                      MD5:B3A244A097904A4D6689A582D7EC9985
                                                                      SHA1:B16032D83C91EE333221FAFADD5F2381CA659D78
                                                                      SHA-256:286B416351F4CA6CC215C58692AF9BE6B9F4EB54C4641160E2A31DFD16C43EC7
                                                                      SHA-512:533CBDDF7D78740E2586D58588C5D0AD4407417C835C0407D93D86B3202626F160D664B69AEFB3D32F94416D7558D6BA9377A28F44BE3FF21ACE2FD4E51F0748
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 44%
                                                                      Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...........................p...$...@..dG......................p...................................................................................CODE............................... ..`DATA....\...........................@...BSS..........`.......L...................idata...$...p...&...L..............@....tls.................r...................rdata...............r..............@..P.reloc..p............t..............@..P.rsrc...dG...@...H..................@..P.....................V..............@..P........................................................................................................................................
                                                                      C:\Users\user\AppData\Roaming\Windows Update.exe:Zone.Identifier
                                                                      Process:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):26
                                                                      Entropy (8bit):3.95006375643621
                                                                      Encrypted:false
                                                                      SSDEEP:3:ggPYV:rPYV
                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                      Malicious:true
                                                                      Preview: [ZoneTransfer]....ZoneId=0
                                                                      C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                      Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):1129472
                                                                      Entropy (8bit):6.927370959170246
                                                                      Encrypted:false
                                                                      SSDEEP:24576:9JCKxWfPNFwyIUlawycDT0+Yrdypzvq3/7j:ZI4s0wbDgt5QW/
                                                                      MD5:B3A244A097904A4D6689A582D7EC9985
                                                                      SHA1:B16032D83C91EE333221FAFADD5F2381CA659D78
                                                                      SHA-256:286B416351F4CA6CC215C58692AF9BE6B9F4EB54C4641160E2A31DFD16C43EC7
                                                                      SHA-512:533CBDDF7D78740E2586D58588C5D0AD4407417C835C0407D93D86B3202626F160D664B69AEFB3D32F94416D7558D6BA9377A28F44BE3FF21ACE2FD4E51F0748
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 44%
                                                                      Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...........................p...$...@..dG......................p...................................................................................CODE............................... ..`DATA....\...........................@...BSS..........`.......L...................idata...$...p...&...L..............@....tls.................r...................rdata...............r..............@..P.reloc..p............t..............@..P.rsrc...dG...@...H..................@..P.....................V..............@..P........................................................................................................................................
                                                                      C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier
                                                                      Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:modified
                                                                      Size (bytes):26
                                                                      Entropy (8bit):3.95006375643621
                                                                      Encrypted:false
                                                                      SSDEEP:3:ggPYV:rPYV
                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                      Malicious:true
                                                                      Preview: [ZoneTransfer]....ZoneId=0
                                                                      C:\Users\user\AppData\Roaming\pid.txt
                                                                      Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4
                                                                      Entropy (8bit):1.5
                                                                      Encrypted:false
                                                                      SSDEEP:3:G:G
                                                                      MD5:AB49EF78E2877BFD2C2BFA738E459BF0
                                                                      SHA1:3745C074470E4CC5747DD76743675E1507E59C7A
                                                                      SHA-256:1089C7C8B99B159441206D96E5BD6246556F0D8D4D41D3B8A96A9298354BD19F
                                                                      SHA-512:100CE65B2EB36A1C04BF6C21D4D54BB510BEDDB5FDD592AD5182001CAA9C7ECF24C9CB5EFC146EB7413D3465F0D72B7BBC3FB9F292DD54D5D51FAB74A3169B8F
                                                                      Malicious:false
                                                                      Preview: 6476
                                                                      C:\Users\user\AppData\Roaming\pidloc.txt
                                                                      Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):49
                                                                      Entropy (8bit):4.441568140944513
                                                                      Encrypted:false
                                                                      SSDEEP:3:oNWXp5cViEaKC59KYr4a:oNWXp+NaZ534a
                                                                      MD5:6078085422A31D60FCEB24D4FA24B6E8
                                                                      SHA1:0CD056478F3D877B3D44C7B439485B1ACFD78F5A
                                                                      SHA-256:9113E6728CEB1F460E3CEAB19852A31602CD77A92E7B861802FE339FD5CFD837
                                                                      SHA-512:22CE5D96BB25519CB14F27BDB44D7FAEDC6D5C8B8F81A1F972EA638BF9731D8793C98359D7C9476D50AF46346E0964E82F5B0B2F8B1B6763B078D2B045FB2EA1
                                                                      Malicious:false
                                                                      Preview: C:\Users\user\AppData\Roaming\Windows Update.exe

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):6.927370959170246
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                      • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                      • Windows Screen Saver (13104/52) 0.13%
                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      File name:Prueba de pago.exe
                                                                      File size:1129472
                                                                      MD5:b3a244a097904a4d6689a582d7ec9985
                                                                      SHA1:b16032d83c91ee333221fafadd5f2381ca659d78
                                                                      SHA256:286b416351f4ca6cc215c58692af9be6b9f4eb54c4641160e2a31dfd16c43ec7
                                                                      SHA512:533cbddf7d78740e2586d58588c5d0ad4407417c835c0407d93d86b3202626f160d664b69aefb3d32f94416d7558d6ba9377a28f44be3ff21ace2fd4e51f0748
                                                                      SSDEEP:24576:9JCKxWfPNFwyIUlawycDT0+Yrdypzvq3/7j:ZI4s0wbDgt5QW/
                                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                      File Icon

                                                                      Icon Hash:4c567676561e0701

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x479884
                                                                      Entrypoint Section:CODE
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                                                      DLL Characteristics:
                                                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:5113dec31b8616dbad783836e7188783

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      push ebp
                                                                      mov ebp, esp
                                                                      add esp, FFFFFFF0h
                                                                      mov eax, 00479694h
                                                                      call 00007FC17CF2F78Dh
                                                                      mov eax, dword ptr [00495AD0h]
                                                                      mov eax, dword ptr [eax]
                                                                      call 00007FC17CF7F54Dh
                                                                      mov ecx, dword ptr [00495BC8h]
                                                                      mov eax, dword ptr [00495AD0h]
                                                                      mov eax, dword ptr [eax]
                                                                      mov edx, dword ptr [00479188h]
                                                                      call 00007FC17CF7F54Dh
                                                                      mov eax, dword ptr [00495AD0h]
                                                                      mov eax, dword ptr [eax]
                                                                      call 00007FC17CF7F5C1h
                                                                      call 00007FC17CF2D284h
                                                                      lea eax, dword ptr [eax+00h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x970000x24c4.idata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x74764.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000x7f70.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x9b0000x18.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      CODE0x10000x788cc0x78a00False0.524172198834data6.51448811653IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      DATA0x7a0000x1bc5c0x1be00False0.171568455717data2.71109267168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      BSS0x960000xcb10x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .idata0x970000x24c40x2600False0.352076480263data4.94171972073IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .tls0x9a0000x100x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x9b0000x180x200False0.048828125data0.20058190744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                      .reloc0x9c0000x7f700x8000False0.559631347656data6.62495186635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                      .rsrc0xa40000x747640x74800False0.814853389887data7.42056726509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_CURSOR0xa4a080x134data
                                                                      RT_CURSOR0xa4b3c0x134data
                                                                      RT_CURSOR0xa4c700x134data
                                                                      RT_CURSOR0xa4da40x134data
                                                                      RT_CURSOR0xa4ed80x134data
                                                                      RT_CURSOR0xa500c0x134data
                                                                      RT_CURSOR0xa51400x134data
                                                                      RT_BITMAP0xa52740x1d0data
                                                                      RT_BITMAP0xa54440x1e4data
                                                                      RT_BITMAP0xa56280x1d0data
                                                                      RT_BITMAP0xa57f80x1d0data
                                                                      RT_BITMAP0xa59c80x1d0data
                                                                      RT_BITMAP0xa5b980x1d0data
                                                                      RT_BITMAP0xa5d680x1d0data
                                                                      RT_BITMAP0xa5f380x1d0data
                                                                      RT_BITMAP0xa61080x534e1dataEnglishUnited States
                                                                      RT_BITMAP0xf95ec0x1d0data
                                                                      RT_BITMAP0xf97bc0xd8data
                                                                      RT_BITMAP0xf98940xd8data
                                                                      RT_BITMAP0xf996c0xd8data
                                                                      RT_BITMAP0xf9a440xd8data
                                                                      RT_BITMAP0xf9b1c0xd8data
                                                                      RT_BITMAP0xf9bf40xe8GLS_BINARY_LSB_FIRST
                                                                      RT_ICON0xf9cdc0x951bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                      RT_ICON0x1031f80x668dataEnglishUnited States
                                                                      RT_ICON0x1038600x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 16777215, next used block 16777215
                                                                      RT_ICON0x105e080x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 1566797424, next used block 1566797424
                                                                      RT_ICON0x106eb00x468GLS_BINARY_LSB_FIRST
                                                                      RT_ICON0x1073180x10828data
                                                                      RT_DIALOG0x117b400x52data
                                                                      RT_RCDATA0x117b940x10data
                                                                      RT_RCDATA0x117ba40x274data
                                                                      RT_RCDATA0x117e180x7c3Delphi compiled form 'TForm1'
                                                                      RT_GROUP_CURSOR0x1185dc0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0x1185f00x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0x1186040x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0x1186180x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0x11862c0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0x1186400x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0x1186540x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_ICON0x1186680x14dataEnglishUnited States
                                                                      RT_GROUP_ICON0x11867c0x4cdata
                                                                      RT_HTML0x1186c80x99dataEnglishUnited States

                                                                      Imports

                                                                      DLLImport
                                                                      kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                      user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                      oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                      kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                      kernel32.dlllstrcpyA, lstrcmpA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemTime, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                      version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                      gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExtCreatePen, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                      user32.dllWindowFromPoint, WinHelpA, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardType, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                      kernel32.dllSleep
                                                                      oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                      comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                      kernel32.dllMulDiv

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 18, 2020 13:23:18.156307936 CET4972580192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:18.172880888 CET8049725104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:18.172996044 CET4972580192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:18.173736095 CET4972580192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:18.190232992 CET8049725104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:18.205449104 CET8049725104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:18.255162001 CET49726443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:18.256525993 CET4972580192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:18.271610022 CET44349726104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:18.271754026 CET49726443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:18.326100111 CET49726443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:18.342639923 CET44349726104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:18.343122005 CET44349726104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:18.343375921 CET44349726104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:18.343475103 CET49726443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:18.372195959 CET49726443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:18.373879910 CET49727443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:18.388709068 CET44349726104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:18.390291929 CET44349727104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:18.390434980 CET49727443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:18.391196966 CET49727443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:18.407581091 CET44349727104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:18.408934116 CET44349727104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:18.409166098 CET44349727104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:18.409308910 CET49727443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:18.410748005 CET49727443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:18.427051067 CET44349727104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:19.372533083 CET49728587192.168.2.3217.76.146.62
                                                                      Nov 18, 2020 13:23:19.429733992 CET58749728217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:19.430356979 CET49728587192.168.2.3217.76.146.62
                                                                      Nov 18, 2020 13:23:19.484149933 CET58749728217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:19.529613972 CET49728587192.168.2.3217.76.146.62
                                                                      Nov 18, 2020 13:23:19.582427979 CET58749728217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:19.582458019 CET58749728217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:19.632231951 CET49728587192.168.2.3217.76.146.62
                                                                      Nov 18, 2020 13:23:19.699366093 CET49728587192.168.2.3217.76.146.62
                                                                      Nov 18, 2020 13:23:19.753313065 CET58749728217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:19.761369944 CET49728587192.168.2.3217.76.146.62
                                                                      Nov 18, 2020 13:23:19.853539944 CET58749728217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:22.824961901 CET58749728217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:22.826849937 CET49728587192.168.2.3217.76.146.62
                                                                      Nov 18, 2020 13:23:22.880068064 CET58749728217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:22.881308079 CET58749728217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:22.883138895 CET49728587192.168.2.3217.76.146.62
                                                                      Nov 18, 2020 13:23:22.937414885 CET58749728217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:22.937700033 CET49728587192.168.2.3217.76.146.62
                                                                      Nov 18, 2020 13:23:33.304239035 CET4972580192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:43.842483044 CET4973880192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:43.858910084 CET8049738104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:43.859080076 CET4973880192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:43.859767914 CET4973880192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:43.880752087 CET8049738104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:43.888427973 CET8049738104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:43.929254055 CET49739443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:43.945622921 CET44349739104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:43.945771933 CET49739443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:43.997375965 CET49739443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:44.014508963 CET44349739104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:44.019392967 CET44349739104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:44.019423962 CET44349739104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:44.019490957 CET49739443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:44.023448944 CET49739443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:44.025419950 CET49740443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:44.039880037 CET44349739104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:44.039880991 CET4973880192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:44.041769028 CET44349740104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:44.041887999 CET49740443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:44.043481112 CET49740443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:44.059838057 CET44349740104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:44.061032057 CET44349740104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:44.061183929 CET44349740104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:44.061263084 CET49740443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:44.063715935 CET49740443192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:44.081182003 CET44349740104.16.155.36192.168.2.3
                                                                      Nov 18, 2020 13:23:45.124259949 CET49741587192.168.2.3217.76.146.62
                                                                      Nov 18, 2020 13:23:45.176453114 CET58749741217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:45.176635027 CET49741587192.168.2.3217.76.146.62
                                                                      Nov 18, 2020 13:23:45.228775024 CET58749741217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:45.229201078 CET49741587192.168.2.3217.76.146.62
                                                                      Nov 18, 2020 13:23:45.281110048 CET58749741217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:45.281131029 CET58749741217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:45.281732082 CET49741587192.168.2.3217.76.146.62
                                                                      Nov 18, 2020 13:23:45.333138943 CET58749741217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:45.333497047 CET49741587192.168.2.3217.76.146.62
                                                                      Nov 18, 2020 13:23:45.424472094 CET58749741217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:48.434525013 CET58749741217.76.146.62192.168.2.3
                                                                      Nov 18, 2020 13:23:48.539719105 CET49741587192.168.2.3217.76.146.62
                                                                      Nov 18, 2020 13:23:50.700263977 CET4973880192.168.2.3104.16.155.36
                                                                      Nov 18, 2020 13:23:50.700618029 CET49741587192.168.2.3217.76.146.62

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 18, 2020 13:22:59.856910944 CET6083153192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:22:59.884131908 CET53608318.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:00.483272076 CET6010053192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:00.512110949 CET53601008.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:01.471681118 CET5319553192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:01.499043941 CET53531958.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:02.286894083 CET5014153192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:02.313980103 CET53501418.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:03.059722900 CET5302353192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:03.087019920 CET53530238.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:03.804584026 CET4956353192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:03.831875086 CET53495638.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:04.833585978 CET5135253192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:04.860826015 CET53513528.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:05.954463005 CET5934953192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:05.982014894 CET53593498.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:07.099803925 CET5708453192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:07.127032042 CET53570848.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:08.202673912 CET5882353192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:08.229778051 CET53588238.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:08.892765999 CET5756853192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:08.920062065 CET53575688.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:17.814177036 CET5054053192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:17.850110054 CET53505408.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:18.107389927 CET5436653192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:18.134546995 CET53543668.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:18.217336893 CET5303453192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:18.252717972 CET53530348.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:19.293009043 CET5776253192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:19.367795944 CET53577628.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:23.021364927 CET5543553192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:23.057523012 CET53554358.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:29.014533043 CET5071353192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:29.041577101 CET53507138.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:29.716088057 CET5613253192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:29.753537893 CET53561328.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:30.325105906 CET5898753192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:30.352339983 CET53589878.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:43.442058086 CET5657953192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:43.477823019 CET53565798.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:43.787981987 CET6063353192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:43.823657036 CET53606338.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:43.896718025 CET6129253192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:43.927705050 CET53612928.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:45.081165075 CET6361953192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:45.118835926 CET53636198.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:23:46.156785011 CET6493853192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:23:46.194552898 CET53649388.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:24:00.644244909 CET6194653192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:24:00.697611094 CET53619468.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:24:05.457015038 CET6491053192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:24:05.484110117 CET53649108.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:24:08.940654993 CET5212353192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:24:08.977572918 CET53521238.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:24:40.918004990 CET5613053192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:24:40.945200920 CET53561308.8.8.8192.168.2.3
                                                                      Nov 18, 2020 13:24:43.775077105 CET5633853192.168.2.38.8.8.8
                                                                      Nov 18, 2020 13:24:43.802208900 CET53563388.8.8.8192.168.2.3

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Nov 18, 2020 13:23:17.814177036 CET192.168.2.38.8.8.80xc79aStandard query (0)49.124.12.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 13:23:18.107389927 CET192.168.2.38.8.8.80xf92aStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 13:23:18.217336893 CET192.168.2.38.8.8.80xd08cStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 13:23:19.293009043 CET192.168.2.38.8.8.80x6512Standard query (0)smtp.jif-asesores.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 13:23:43.442058086 CET192.168.2.38.8.8.80x6abfStandard query (0)49.124.12.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 13:23:43.787981987 CET192.168.2.38.8.8.80xc6f8Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 13:23:43.896718025 CET192.168.2.38.8.8.80x81b6Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 13:23:45.081165075 CET192.168.2.38.8.8.80x6ffdStandard query (0)smtp.jif-asesores.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Nov 18, 2020 13:23:17.850110054 CET8.8.8.8192.168.2.30xc79aName error (3)49.124.12.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 13:23:18.134546995 CET8.8.8.8192.168.2.30xf92aNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 13:23:18.134546995 CET8.8.8.8192.168.2.30xf92aNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 13:23:18.252717972 CET8.8.8.8192.168.2.30xd08cNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 13:23:18.252717972 CET8.8.8.8192.168.2.30xd08cNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 13:23:19.367795944 CET8.8.8.8192.168.2.30x6512No error (0)smtp.jif-asesores.com217.76.146.62A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 13:23:43.477823019 CET8.8.8.8192.168.2.30x6abfName error (3)49.124.12.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 13:23:43.823657036 CET8.8.8.8192.168.2.30xc6f8No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 13:23:43.823657036 CET8.8.8.8192.168.2.30xc6f8No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 13:23:43.927705050 CET8.8.8.8192.168.2.30x81b6No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 13:23:43.927705050 CET8.8.8.8192.168.2.30x81b6No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 13:23:45.118835926 CET8.8.8.8192.168.2.30x6ffdNo error (0)smtp.jif-asesores.com217.76.146.62A (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • whatismyipaddress.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.349725104.16.155.3680C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 18, 2020 13:23:18.173736095 CET155OUTGET / HTTP/1.1
                                                                      Host: whatismyipaddress.com
                                                                      Connection: Keep-Alive
                                                                      Nov 18, 2020 13:23:18.205449104 CET156INHTTP/1.1 301 Moved Permanently
                                                                      Date: Wed, 18 Nov 2020 12:23:18 GMT
                                                                      Transfer-Encoding: chunked
                                                                      Connection: keep-alive
                                                                      Cache-Control: max-age=3600
                                                                      Expires: Wed, 18 Nov 2020 13:23:18 GMT
                                                                      Location: https://whatismyipaddress.com/
                                                                      cf-request-id: 067ce83ba400002bcab53dc000000001
                                                                      Server: cloudflare
                                                                      CF-RAY: 5f41a9729df12bca-FRA
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      1192.168.2.349738104.16.155.3680C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 18, 2020 13:23:43.859767914 CET272OUTGET / HTTP/1.1
                                                                      Host: whatismyipaddress.com
                                                                      Connection: Keep-Alive
                                                                      Nov 18, 2020 13:23:43.888427973 CET273INHTTP/1.1 301 Moved Permanently
                                                                      Date: Wed, 18 Nov 2020 12:23:43 GMT
                                                                      Transfer-Encoding: chunked
                                                                      Connection: keep-alive
                                                                      Cache-Control: max-age=3600
                                                                      Expires: Wed, 18 Nov 2020 13:23:43 GMT
                                                                      Location: https://whatismyipaddress.com/
                                                                      cf-request-id: 067ce89ffc0000c2d6d5989000000001
                                                                      Server: cloudflare
                                                                      CF-RAY: 5f41aa132d0dc2d6-FRA
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      SMTP Packets

                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                      Nov 18, 2020 13:23:19.484149933 CET58749728217.76.146.62192.168.2.3220 smtp-04.servidoresdns.net ESMTP ready
                                                                      Nov 18, 2020 13:23:19.529613972 CET49728587192.168.2.3217.76.146.62EHLO 818225
                                                                      Nov 18, 2020 13:23:19.582458019 CET58749728217.76.146.62192.168.2.3250-smtp-04.servidoresdns.net
                                                                      250-PIPELINING
                                                                      250-SIZE 51200000
                                                                      250-ETRN
                                                                      250-ENHANCEDSTATUSCODES
                                                                      250-8BITMIME
                                                                      250-AUTH PLAIN LOGIN CRAM-MD5
                                                                      250 STARTTLS
                                                                      Nov 18, 2020 13:23:19.699366093 CET49728587192.168.2.3217.76.146.62AUTH login YWRtaW5pc3RyYWNpb25AamlmLWFzZXNvcmVzLmNvbQ==
                                                                      Nov 18, 2020 13:23:19.753313065 CET58749728217.76.146.62192.168.2.3334 UGFzc3dvcmQ6
                                                                      Nov 18, 2020 13:23:22.824961901 CET58749728217.76.146.62192.168.2.3535 5.7.0 Invalid username or password
                                                                      Nov 18, 2020 13:23:22.826849937 CET49728587192.168.2.3217.76.146.62MAIL FROM:<administracion@jif-asesores.com>
                                                                      Nov 18, 2020 13:23:22.881308079 CET58749728217.76.146.62192.168.2.3530 5.7.1 Authentication required
                                                                      Nov 18, 2020 13:23:45.228775024 CET58749741217.76.146.62192.168.2.3220 smtp-04.servidoresdns.net ESMTP ready
                                                                      Nov 18, 2020 13:23:45.229201078 CET49741587192.168.2.3217.76.146.62EHLO 818225
                                                                      Nov 18, 2020 13:23:45.281131029 CET58749741217.76.146.62192.168.2.3250-smtp-04.servidoresdns.net
                                                                      250-PIPELINING
                                                                      250-SIZE 51200000
                                                                      250-ETRN
                                                                      250-ENHANCEDSTATUSCODES
                                                                      250-8BITMIME
                                                                      250-AUTH PLAIN LOGIN CRAM-MD5
                                                                      250 STARTTLS
                                                                      Nov 18, 2020 13:23:45.281732082 CET49741587192.168.2.3217.76.146.62AUTH login YWRtaW5pc3RyYWNpb25AamlmLWFzZXNvcmVzLmNvbQ==
                                                                      Nov 18, 2020 13:23:45.333138943 CET58749741217.76.146.62192.168.2.3334 UGFzc3dvcmQ6
                                                                      Nov 18, 2020 13:23:48.434525013 CET58749741217.76.146.62192.168.2.3535 5.7.0 Invalid username or password

                                                                      Code Manipulations

                                                                      Statistics

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: Prueba de pago.exe PID: 5080 Parent PID: 5684

                                                                      General

                                                                      Start time:13:23:04
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\Prueba de pago.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\Prueba de pago.exe'
                                                                      Imagebase:0x400000
                                                                      File size:1129472 bytes
                                                                      MD5 hash:B3A244A097904A4D6689A582D7EC9985
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: Prueba de pago.exe PID: 2168 Parent PID: 5080

                                                                      General

                                                                      Start time:13:23:05
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\Prueba de pago.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\Prueba de pago.exe'
                                                                      Imagebase:0x400000
                                                                      File size:1129472 bytes
                                                                      MD5 hash:B3A244A097904A4D6689A582D7EC9985
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: Windows Update.exe PID: 5672 Parent PID: 2168

                                                                      General

                                                                      Start time:13:23:13
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Roaming\Windows Update.exe'
                                                                      Imagebase:0x400000
                                                                      File size:1129472 bytes
                                                                      MD5 hash:B3A244A097904A4D6689A582D7EC9985
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 44%, ReversingLabs
                                                                      Reputation:low

                                                                      Analysis Process: Windows Update.exe PID: 5388 Parent PID: 5672

                                                                      General

                                                                      Start time:13:23:14
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Roaming\Windows Update.exe'
                                                                      Imagebase:0x400000
                                                                      File size:1129472 bytes
                                                                      MD5 hash:B3A244A097904A4D6689A582D7EC9985
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.269629299.00000000039E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000003.00000002.269629299.00000000039E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: dw20.exe PID: 2220 Parent PID: 5388

                                                                      General

                                                                      Start time:13:23:19
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:dw20.exe -x -s 2384
                                                                      Imagebase:0x7ff7488e0000
                                                                      File size:33936 bytes
                                                                      MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: vbc.exe PID: 6120 Parent PID: 5388

                                                                      General

                                                                      Start time:13:23:22
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                      Imagebase:0x400000
                                                                      File size:1171592 bytes
                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.252405021.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:high

                                                                      Analysis Process: vbc.exe PID: 3484 Parent PID: 5388

                                                                      General

                                                                      Start time:13:23:22
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                      Imagebase:0x400000
                                                                      File size:1171592 bytes
                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:high

                                                                      Analysis Process: WerFault.exe PID: 4112 Parent PID: 5388

                                                                      General

                                                                      Start time:13:23:25
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 2488
                                                                      Imagebase:0x1330000
                                                                      File size:434592 bytes
                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Reputation:high

                                                                      Analysis Process: WindowsUpdate.exe PID: 6328 Parent PID: 3388

                                                                      General

                                                                      Start time:13:23:31
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                                                                      Imagebase:0x400000
                                                                      File size:1129472 bytes
                                                                      MD5 hash:B3A244A097904A4D6689A582D7EC9985
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 44%, ReversingLabs
                                                                      Reputation:low

                                                                      Analysis Process: WindowsUpdate.exe PID: 6392 Parent PID: 6328

                                                                      General

                                                                      Start time:13:23:32
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                                                                      Imagebase:0x400000
                                                                      File size:1129472 bytes
                                                                      MD5 hash:B3A244A097904A4D6689A582D7EC9985
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: Windows Update.exe PID: 6456 Parent PID: 6392

                                                                      General

                                                                      Start time:13:23:36
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Roaming\Windows Update.exe'
                                                                      Imagebase:0x400000
                                                                      File size:1129472 bytes
                                                                      MD5 hash:B3A244A097904A4D6689A582D7EC9985
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: Windows Update.exe PID: 6476 Parent PID: 6456

                                                                      General

                                                                      Start time:13:23:37
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Roaming\Windows Update.exe'
                                                                      Imagebase:0x400000
                                                                      File size:1129472 bytes
                                                                      MD5 hash:B3A244A097904A4D6689A582D7EC9985
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.305848989.00000000039A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.305848989.00000000039A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.305679255.0000000002E2C000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: dw20.exe PID: 7024 Parent PID: 6476

                                                                      General

                                                                      Start time:13:23:44
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:dw20.exe -x -s 2376
                                                                      Imagebase:0x10000000
                                                                      File size:33936 bytes
                                                                      MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >