Loading ...

Play interactive tourEdit tour

Analysis Report hkaP5RPCGNDVq3Z.exe

Overview

General Information

Sample Name:hkaP5RPCGNDVq3Z.exe
Analysis ID:339931
MD5:07556e1af1f43f7dd42d32d188187e4a
SHA1:42110c04869726694a2537e05f987039cd829ac0
SHA256:a6fc5cc4331ee5a9bee82b3fde7bdbce1c1dc5a89c8860b682c948f4b9acc9cd
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye AgentTesla MailPassView Matiex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Capture Wi-Fi password
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Matiex Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • hkaP5RPCGNDVq3Z.exe (PID: 5552 cmdline: 'C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe' MD5: 07556E1AF1F43F7DD42D32D188187E4A)
    • schtasks.exe (PID: 1560 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • hkaP5RPCGNDVq3Z.exe (PID: 5908 cmdline: {path} MD5: 07556E1AF1F43F7DD42D32D188187E4A)
      • LOGO AND PICTURES.exe (PID: 5872 cmdline: 'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0 MD5: D9001138C5119D936B70BF77E136AFBE)
        • netsh.exe (PID: 6400 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Pictures.exe (PID: 5868 cmdline: 'C:\Users\user\AppData\Local\Temp\Pictures.exe' 0 MD5: 25146E9C5ECD498DD17BA01E6CFAEB24)
        • dw20.exe (PID: 6348 cmdline: dw20.exe -x -s 2100 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • PO456724392021.exe (PID: 2208 cmdline: 'C:\Users\user\AppData\Local\Temp\PO456724392021.exe' 0 MD5: F38E2D474C075EFF35B4EF81FDACA650)
      • PO2345714382021.exe (PID: 5880 cmdline: 'C:\Users\user\AppData\Local\Temp\PO2345714382021.exe' 0 MD5: 9B79DE8E3AD21F14E71E55CFA6AE4727)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Threatname: Agenttesla

{"Username: ": "VjouxsS", "URL: ": "http://YfWA3aJjc76ztEimE.com", "To: ": "sales01@seedwellresources.xyz", "ByHost: ": "smtp.privateemail.com:5876", "Password: ": "Nd6zB", "From: ": "sales01@seedwellresources.xyz"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\PO2345714382021.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
      C:\Users\user\AppData\Local\Temp\Pictures.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b8f7:$key: HawkEyeKeylogger
      • 0x7db3b:$salt: 099u787978786
      • 0x7bf38:$string1: HawkEye_Keylogger
      • 0x7cd8b:$string1: HawkEye_Keylogger
      • 0x7da9b:$string1: HawkEye_Keylogger
      • 0x7c321:$string2: holdermail.txt
      • 0x7c341:$string2: holdermail.txt
      • 0x7c263:$string3: wallet.dat
      • 0x7c27b:$string3: wallet.dat
      • 0x7c291:$string3: wallet.dat
      • 0x7d65f:$string4: Keylog Records
      • 0x7d977:$string4: Keylog Records
      • 0x7db93:$string5: do not script -->
      • 0x7b8df:$string6: \pidloc.txt
      • 0x7b96d:$string7: BSPLIT
      • 0x7b97d:$string7: BSPLIT
      C:\Users\user\AppData\Local\Temp\Pictures.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        C:\Users\user\AppData\Local\Temp\Pictures.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          Click to see the 2 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
              • 0x7b6f7:$key: HawkEyeKeylogger
              • 0x7d93b:$salt: 099u787978786
              • 0x7bd38:$string1: HawkEye_Keylogger
              • 0x7cb8b:$string1: HawkEye_Keylogger
              • 0x7d89b:$string1: HawkEye_Keylogger
              • 0x7c121:$string2: holdermail.txt
              • 0x7c141:$string2: holdermail.txt
              • 0x7c063:$string3: wallet.dat
              • 0x7c07b:$string3: wallet.dat
              • 0x7c091:$string3: wallet.dat
              • 0x7d45f:$string4: Keylog Records
              • 0x7d777:$string4: Keylog Records
              • 0x7d993:$string5: do not script -->
              • 0x7b6df:$string6: \pidloc.txt
              • 0x7b76d:$string7: BSPLIT
              • 0x7b77d:$string7: BSPLIT
              00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                  Click to see the 56 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  8.0.PO456724392021.exe.e90000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    8.2.PO456724392021.exe.e90000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      9.0.PO2345714382021.exe.a0000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                        7.0.Pictures.exe.470000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                        • 0x7b8f7:$key: HawkEyeKeylogger
                        • 0x7db3b:$salt: 099u787978786
                        • 0x7bf38:$string1: HawkEye_Keylogger
                        • 0x7cd8b:$string1: HawkEye_Keylogger
                        • 0x7da9b:$string1: HawkEye_Keylogger
                        • 0x7c321:$string2: holdermail.txt
                        • 0x7c341:$string2: holdermail.txt
                        • 0x7c263:$string3: wallet.dat
                        • 0x7c27b:$string3: wallet.dat
                        • 0x7c291:$string3: wallet.dat
                        • 0x7d65f:$string4: Keylog Records
                        • 0x7d977:$string4: Keylog Records
                        • 0x7db93:$string5: do not script -->
                        • 0x7b8df:$string6: \pidloc.txt
                        • 0x7b96d:$string7: BSPLIT
                        • 0x7b97d:$string7: BSPLIT
                        7.0.Pictures.exe.470000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                          Click to see the 15 entries

                          Sigma Overview

                          System Summary:

                          barindex
                          Sigma detected: Capture Wi-Fi passwordShow sources
                          Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0, ParentImage: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe, ParentProcessId: 5872, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 6400
                          Sigma detected: Scheduled temp file as task from temp locationShow sources
                          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe' , ParentImage: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe, ParentProcessId: 5552, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp', ProcessId: 1560

                          Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Antivirus detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeAvira: detection malicious, Label: TR/Redcap.jajcu
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeAvira: detection malicious, Label: TR/Spy.Gen8
                          Found malware configurationShow sources
                          Source: hkaP5RPCGNDVq3Z.exe.5908.3.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                          Source: PO456724392021.exe.2208.8.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "VjouxsS", "URL: ": "http://YfWA3aJjc76ztEimE.com", "To: ": "sales01@seedwellresources.xyz", "ByHost: ": "smtp.privateemail.com:5876", "Password: ": "Nd6zB", "From: ": "sales01@seedwellresources.xyz"}
                          Machine Learning detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeJoe Sandbox ML: detected
                          Source: 7.0.Pictures.exe.470000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 7.0.Pictures.exe.470000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                          Source: 7.2.Pictures.exe.470000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 7.2.Pictures.exe.470000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpackAvira: Label: TR/Redcap.jajcu
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                          Source: 6.0.LOGO AND PICTURES.exe.880000.0.unpackAvira: Label: TR/Redcap.jajcu
                          Source: hkaP5RPCGNDVq3Z.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.3:49732 version: TLS 1.0
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                          Source: hkaP5RPCGNDVq3Z.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Pictures.exe, 00000007.00000002.277045507.0000000002840000.00000004.00000040.sdmp
                          Source: Binary string: mscorlib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: 1:pC:\Windows\mscorlib.pdb source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
                          Source: Binary string: symbols\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
                          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbdN source: Pictures.exe, 00000007.00000002.284902905.0000000006474000.00000004.00000001.sdmp
                          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr
                          Source: Binary string: mscorlib.pdbz\AppData\Local\Temp\Pictures.exe source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
                          Source: Binary string: \??\C:\Windows\mscorlib.pdbln source: Pictures.exe, 00000007.00000002.284885892.0000000006460000.00000004.00000001.sdmp
                          Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr
                          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
                          Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr
                          Source: Binary string: C:\Windows\mscorlib.pdbd source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbM source: Pictures.exe, 00000007.00000002.284902905.0000000006474000.00000004.00000001.sdmp
                          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: mscorlib.pdbH source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
                          Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000006.00000000.259667235.0000000000882000.00000002.00020000.sdmp, LOGO AND PICTURES.exe.3.dr
                          Source: Binary string: mscorrc.pdb source: Pictures.exe, 00000007.00000002.280912855.0000000004DD0000.00000002.00000001.sdmp
                          Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000006.00000000.259667235.0000000000882000.00000002.00020000.sdmp, LOGO AND PICTURES.exe.3.dr
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpBinary or memory string: [autorun]
                          Source: Pictures.exeBinary or memory string: [autorun]
                          Source: Pictures.exeBinary or memory string: autorun.inf
                          Source: Pictures.exe.3.drBinary or memory string: autorun.inf
                          Source: Pictures.exe.3.drBinary or memory string: [autorun]
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then jmp 04CB1A73h
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then jmp 04CB1A73h
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then mov esp, ebp

                          Networking:

                          barindex
                          C2 URLs / IPs found in malware configurationShow sources
                          Source: Malware configuration extractorURLs: http://YfWA3aJjc76ztEimE.com
                          May check the online IP address of the machineShow sources
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: checkip.dyndns.org
                          Source: unknownDNS query: name: checkip.dyndns.org
                          Source: unknownDNS query: name: checkip.dyndns.org
                          Source: unknownDNS query: name: checkip.dyndns.org
                          Source: global trafficTCP traffic: 192.168.2.3:49739 -> 199.193.7.228:587
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                          Source: global trafficTCP traffic: 192.168.2.3:49739 -> 199.193.7.228:587
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.3:49732 version: TLS 1.0
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_0259A09A recv,
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Pictures.exe.3.drString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Pictures.exe.3.drString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                          Source: Pictures.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                          Source: unknownDNS traffic detected: queries for: 169.241.9.0.in-addr.arpa
                          Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                          Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                          Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpString found in binary or memory: http://YGApDP.com
                          Source: PO456724392021.exe, 00000008.00000002.624703526.00000000035F5000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.624818191.0000000003604000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.624749656.00000000035FB000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.622310400.000000000335F000.00000004.00000001.sdmpString found in binary or memory: http://YfWA3aJjc76ztEimE.com
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.367655934.00000000065A3000.00000004.00000001.sdmpString found in binary or memory: http://crl.co
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.367607117.00000000065BA000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.619555570.0000000001629000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.367635858.0000000006598000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.627337909.000000000660B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Pictures.exe.3.drString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.367676497.0000000006550000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.627273721.00000000065E3000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.432984410.0000000008D31000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.432984410.0000000008D31000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.432984410.0000000008D31000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, LOGO AND PICTURES.exe, 00000006.00000003.367607117.00000000065BA000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, PO456724392021.exe, 00000008.00000002.619555570.0000000001629000.00000004.00000020.sdmp, Pictures.exe.3.drString found in binary or memory: http://ocsp.comodoca.com0
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.367705732.000000000656E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sect
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.367676497.0000000006550000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.627273721.00000000065E3000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: PO456724392021.exe, 00000008.00000002.624703526.00000000035F5000.00000004.00000001.sdmpString found in binary or memory: http://smtp.privateemail.com
                          Source: Pictures.exe, 00000007.00000002.277841679.0000000002BDD000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                          Source: Pictures.exeString found in binary or memory: http://whatismyipaddress.com/
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Pictures.exe.3.drString found in binary or memory: http://whatismyipaddress.com/-
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                          Source: Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                          Source: Pictures.exe.3.drString found in binary or memory: http://www.nirsoft.net/
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                          Source: Pictures.exe, 00000007.00000002.278199316.0000000002C23000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                          Source: Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                          Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                          Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                          Source: Pictures.exeString found in binary or memory: https://login.yahoo.com/config/login
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.367676497.0000000006550000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.627273721.00000000065E3000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                          Source: Pictures.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.263995429.0000000003AEC000.00000004.00000001.sdmp, PO456724392021.exe, PO2345714382021.exe, 00000009.00000000.263166408.00000000000A2000.00000002.00020000.sdmp, PO2345714382021.exe.3.drString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                          Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443

                          Key, Mouse, Clipboard, Microphone and Screen Capturing:

                          barindex
                          Yara detected HawkEye KeyloggerShow sources
                          Source: Yara matchFile source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.277723292.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.278079431.0000000002C06000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5908, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 5868, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
                          Source: Yara matchFile source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE
                          Contains functionality to log keystrokes (.Net Source)Show sources
                          Source: Pictures.exe.3.dr, Form1.cs.Net Code: HookKeyboard
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs.Net Code: HookKeyboard
                          Source: 7.2.Pictures.exe.470000.0.unpack, Form1.cs.Net Code: HookKeyboard
                          Installs a global keyboard hookShow sources
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\Pictures.exe
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\PO456724392021.exe
                          Source: PO456724392021.exe, 00000008.00000002.619065209.000000000159B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeWindow created: window name: CLIPBRDWNDCLASS
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeWindow created: window name: CLIPBRDWNDCLASS
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWindow created: window name: CLIPBRDWNDCLASS
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWindow created: window name: CLIPBRDWNDCLASS

                          System Summary:

                          barindex
                          Malicious sample detected (through community Yara rule)Show sources
                          Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000007.00000002.277723292.0000000002B91000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_02A2C26C
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_02A2E622
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_02A2E630
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_02A24558
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_0704DAB0
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_0704CAE8
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_0704EC08
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_00742186
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 3_2_00682186
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_0047D426
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_0047D523
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_0048D5AE
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_00487646
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004B29BE
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004B6AF4
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004DABFC
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004D3C4D
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004D3CBE
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_0047ED03
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004D3D2F
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004D3DC0
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_0047CF92
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_0048AFA6
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04CB6048
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04CB5758
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04CB7088
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04CB7098
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04CB1D98
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004AC7BC
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeCode function: 8_2_00E92296
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeCode function: 8_2_01309410
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeCode function: 8_2_0130DA11
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeCode function: 8_2_0130DE78
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeCode function: 8_2_0130F190
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeCode function: 8_2_0130F04D
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe 9AE5EF3FD4FEEA105C1ED3F1E69FD4FA328E8F29F1937097280F7EEE7F8D749E
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe 56BD25ACDB97CE17F8351B926C48A4F63E348C40F6C5913219B0745D99F6B31D
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Pictures.exe 5207F3D079A52017E7977296C9EBA782D3D5EAE5ADEC94FA38ACDD88C184496D
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: String function: 004BBA9D appears 35 times
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                          Source: hkaP5RPCGNDVq3Z.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: jcKKBKdU.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Pictures.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Pictures.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Pictures.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: hkaP5RPCGNDVq3Z.exeBinary or memory string: OriginalFilename vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.278348508.0000000007640000.00000002.00000001.sdmpBinary or memory string: originalfilename vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.278348508.0000000007640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.279931962.0000000007890000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.278131793.00000000075E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257933457.0000000002C8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.280157361.0000000007900000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exeBinary or memory string: OriginalFilename vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVNXT.exe* vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameqSFGwNyTRHxXnFNQmReMEDLopGXKYkP.exed" vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.263995429.0000000003AEC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaVGHPRrbHbSzmBgNIxPPIWutzHpjQGUX.exe4 vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.263264151.0000000003A81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBehbBNmlFodyWDcOLIcGKBGvXeAtKtoPsNVNJ.exe4 vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.266564778.0000000002A90000.00000002.00000001.sdmpBinary or memory string: originalfilename vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.266564778.0000000002A90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.266387872.0000000002A30000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exeBinary or memory string: OriginalFilename vs hkaP5RPCGNDVq3Z.exe
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeSection loaded: security.dll
                          Source: hkaP5RPCGNDVq3Z.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000007.00000002.277723292.0000000002B91000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: hkaP5RPCGNDVq3Z.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          Source: jcKKBKdU.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          Source: Pictures.exe.3.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Pictures.exe.3.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Pictures.exe.3.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Pictures.exe.3.dr, Form1.csCryptographic APIs: 'CreateDecryptor'
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                          Source: Pictures.exe.3.dr, Form1.csBase64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.csBase64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: 7.2.Pictures.exe.470000.0.unpack, Form1.csBase64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/12@38/5
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04D34E52 AdjustTokenPrivileges,
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04D34E1B AdjustTokenPrivileges,
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeFile created: C:\Users\user\AppData\Roaming\jcKKBKdU.exeJump to behavior
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeMutant created: \Sessions\1\BaseNamedObjects\yjyyHtOeJEQCUOCiFqHAwaA
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4912:120:WilError_01
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeFile created: C:\Users\user\AppData\Local\Temp\tmpEED.tmpJump to behavior
                          Source: hkaP5RPCGNDVq3Z.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Pictures.exe.3.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeFile read: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe 'C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe'
                          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp'
                          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe {path}
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe 'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Pictures.exe 'C:\Users\user\AppData\Local\Temp\Pictures.exe' 0
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\PO456724392021.exe 'C:\Users\user\AppData\Local\Temp\PO456724392021.exe' 0
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe 'C:\Users\user\AppData\Local\Temp\PO2345714382021.exe' 0
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp'
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess created: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe {path}
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess created: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe 'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess created: C:\Users\user\AppData\Local\Temp\Pictures.exe 'C:\Users\user\AppData\Local\Temp\Pictures.exe' 0
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess created: C:\Users\user\AppData\Local\Temp\PO456724392021.exe 'C:\Users\user\AppData\Local\Temp\PO456724392021.exe' 0
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess created: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe 'C:\Users\user\AppData\Local\Temp\PO2345714382021.exe' 0
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                          Source: hkaP5RPCGNDVq3Z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: hkaP5RPCGNDVq3Z.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                          Source: hkaP5RPCGNDVq3Z.exeStatic file information: File size 1664000 > 1048576
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                          Source: hkaP5RPCGNDVq3Z.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x191e00
                          Source: hkaP5RPCGNDVq3Z.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Pictures.exe, 00000007.00000002.277045507.0000000002840000.00000004.00000040.sdmp
                          Source: Binary string: mscorlib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: 1:pC:\Windows\mscorlib.pdb source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
                          Source: Binary string: symbols\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
                          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbdN source: Pictures.exe, 00000007.00000002.284902905.0000000006474000.00000004.00000001.sdmp
                          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr
                          Source: Binary string: mscorlib.pdbz\AppData\Local\Temp\Pictures.exe source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
                          Source: Binary string: \??\C:\Windows\mscorlib.pdbln source: Pictures.exe, 00000007.00000002.284885892.0000000006460000.00000004.00000001.sdmp
                          Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr
                          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
                          Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr
                          Source: Binary string: C:\Windows\mscorlib.pdbd source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbM source: Pictures.exe, 00000007.00000002.284902905.0000000006474000.00000004.00000001.sdmp
                          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: mscorlib.pdbH source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
                          Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000006.00000000.259667235.0000000000882000.00000002.00020000.sdmp, LOGO AND PICTURES.exe.3.dr
                          Source: Binary string: mscorrc.pdb source: Pictures.exe, 00000007.00000002.280912855.0000000004DD0000.00000002.00000001.sdmp
                          Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000006.00000000.259667235.0000000000882000.00000002.00020000.sdmp, LOGO AND PICTURES.exe.3.dr

                          Data Obfuscation:

                          barindex
                          .NET source code contains potential unpackerShow sources
                          Source: hkaP5RPCGNDVq3Z.exe, E?Lg????qv/?O?????uxR.cs.Net Code: e?SVFxBz???qD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: jcKKBKdU.exe.0.dr, E?Lg????qv/?O?????uxR.cs.Net Code: e?SVFxBz???qD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.2.hkaP5RPCGNDVq3Z.exe.740000.0.unpack, E?Lg????qv/?O?????uxR.cs.Net Code: e?SVFxBz???qD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.0.hkaP5RPCGNDVq3Z.exe.740000.0.unpack, E?Lg????qv/?O?????uxR.cs.Net Code: e?SVFxBz???qD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Pictures.exe.3.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Pictures.exe.3.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Pictures.exe.3.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Pictures.exe.3.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 3.0.hkaP5RPCGNDVq3Z.exe.680000.0.unpack, E?Lg????qv/?O?????uxR.cs.Net Code: e?SVFxBz???qD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.680000.1.unpack, E?Lg????qv/?O?????uxR.cs.Net Code: e?SVFxBz???qD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 7.2.Pictures.exe.470000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 7.2.Pictures.exe.470000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 7.2.Pictures.exe.470000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 7.2.Pictures.exe.470000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_02A27B10 push eax; retf
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_07041718 pushfd ; retf
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004E0712 push eax; ret
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004E0712 push eax; ret
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004BBA9D push eax; ret
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004BBA9D push eax; ret
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeCode function: 8_3_065B72F6 pushfd ; iretd
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeCode function: 8_3_065B72F6 pushfd ; iretd
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeCode function: 8_2_013060F0 pushfd ; retf
                          Source: initial sampleStatic PE information: section name: .text entropy: 7.98345662423
                          Source: initial sampleStatic PE information: section name: .text entropy: 7.98345662423
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeFile created: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeJump to dropped file
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeFile created: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeJump to dropped file
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeFile created: C:\Users\user\AppData\Roaming\jcKKBKdU.exeJump to dropped file
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeFile created: C:\Users\user\AppData\Local\Temp\Pictures.exeJump to dropped file

                          Boot Survival:

                          barindex
                          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp'

                          Hooking and other Techniques for Hiding and Protection:

                          barindex
                          Changes the view of files in windows explorer (hidden files and folders)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion:

                          barindex
                          Yara detected AntiVM_3Show sources
                          Source: Yara matchFile source: 00000000.00000002.257933457.0000000002C8D000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5552, type: MEMORY
                          Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeFunction Chain: threadResumed,threadDelayed,memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,threadDelayed
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeFunction Chain: threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,threadCreated,memAlloc,threadResumed
                          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: GetAdaptersInfo,
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: GetAdaptersInfo,
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeThread delayed: delay time: 300000
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeWindow / User API: threadDelayed 3269
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeWindow / User API: threadDelayed 6245
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWindow / User API: threadDelayed 4164
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWindow / User API: threadDelayed 5636
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWindow / User API: threadDelayed 773
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe TID: 4848Thread sleep time: -31500s >= -30000s
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe TID: 4848Thread sleep time: -65000s >= -30000s
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe TID: 1304Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -21213755684765971s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -300000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -199718s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99734s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99625s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99515s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99406s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99297s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99187s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99078s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -197936s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -98859s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -98750s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -98640s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -98531s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -98422s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -98312s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -98203s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -98093s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -97968s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -97859s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -97750s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -97640s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -97531s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -97422s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -97312s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -97203s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -97093s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -96984s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -96875s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -96765s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -96656s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -96547s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99875s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99765s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99656s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99547s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99359s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99203s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -98843s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -98578s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -98468s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -98359s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -98234s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -98109s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -98000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -97890s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -97781s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -97672s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -97078s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -96953s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -96843s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -96734s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -96562s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -94890s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -94750s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99750s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99640s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280Thread sleep time: -99531s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 5848Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 6324Thread sleep time: -120000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 6328Thread sleep time: -140000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 6340Thread sleep time: -300000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe TID: 6856Thread sleep time: -17524406870024063s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe TID: 6524Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe TID: 6524Thread sleep time: -3060000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe TID: 6524Thread sleep time: -60000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe TID: 6524Thread sleep time: -59750s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeFile Volume queried: C:\ FullSizeInformation
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.259794496.000000000306D000.00000004.00000001.sdmpBinary or memory string: VMware
                          Source: Pictures.exe, 00000007.00000002.285191121.0000000006A60000.00000002.00000001.sdmp, PO456724392021.exe, 00000008.00000002.626990308.0000000006340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmpBinary or memory string: vmware
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                          Source: PO456724392021.exe, 00000008.00000002.627153787.00000000065A0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.443811407.0000000008E32000.00000004.00000001.sdmpBinary or memory string: jWWifTDVPPukP/KMU/nhPKY8U6xnKCiwD83HtQxjqW+sV+hDoYc2lhGfsVinfoyjYlYZ
                          Source: PO456724392021.exe, PO2345714382021.exe, 00000009.00000003.361527643.0000000000835000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmpBinary or memory string: VMWARE
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257933457.0000000002C8D000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                          Source: Pictures.exe, 00000007.00000002.285191121.0000000006A60000.00000002.00000001.sdmp, PO456724392021.exe, 00000008.00000002.626990308.0000000006340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                          Source: Pictures.exe, 00000007.00000002.285191121.0000000006A60000.00000002.00000001.sdmp, PO456724392021.exe, 00000008.00000002.626990308.0000000006340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257933457.0000000002C8D000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.259794496.000000000306D000.00000004.00000001.sdmpBinary or memory string: VMware
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257933457.0000000002C8D000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.442108883.00000000041CD000.00000004.00000001.sdmpBinary or memory string: A5uYgwCE/KsJwDhEVB+Lvb5DR+oNYibtAAKIPTVMci8OG6d3wPNU1AQgluOIP8GTfpqa
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
                          Source: Pictures.exe, 00000007.00000002.285191121.0000000006A60000.00000002.00000001.sdmp, PO456724392021.exe, 00000008.00000002.626990308.0000000006340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess information queried: ProcessInformation
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04CB77F0 LdrInitializeThunk,
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess token adjusted: Debug
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess token adjusted: Debug
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess token adjusted: Debug
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeProcess token adjusted: Debug
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeProcess token adjusted: Debug
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeMemory allocated: page read and write | page guard

                          HIPS / PFW / Operating System Protection Evasion:

                          barindex
                          .NET source code references suspicious native API functionsShow sources
                          Source: Pictures.exe.3.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: Pictures.exe.3.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: 7.0.Pictures.exe.470000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Source: 7.2.Pictures.exe.470000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: 7.2.Pictures.exe.470000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Injects a PE file into a foreign processesShow sources
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeMemory written: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe base: 400000 value starts with: 4D5A
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp'
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess created: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe {path}
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess created: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe 'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess created: C:\Users\user\AppData\Local\Temp\Pictures.exe 'C:\Users\user\AppData\Local\Temp\Pictures.exe' 0
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess created: C:\Users\user\AppData\Local\Temp\PO456724392021.exe 'C:\Users\user\AppData\Local\Temp\PO456724392021.exe' 0
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeProcess created: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe 'C:\Users\user\AppData\Local\Temp\PO2345714382021.exe' 0
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                          Source: PO456724392021.exe, 00000008.00000002.620396813.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Program Manager
                          Source: PO456724392021.exe, 00000008.00000002.620396813.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                          Source: PO456724392021.exe, 00000008.00000002.620396813.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Progman
                          Source: PO456724392021.exe, 00000008.00000002.620396813.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeQueries volume information: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PO456724392021.exe VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                          Lowering of HIPS / PFW / Operating System Security Settings:

                          barindex
                          Uses netsh to modify the Windows network and firewall settingsShow sources
                          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                          Source: Pictures.exe, 00000007.00000002.284885892.0000000006460000.00000004.00000001.sdmpBinary or memory string: r\MsMpeng.exe
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information:

                          barindex
                          Yara detected AgentTeslaShow sources
                          Source: Yara matchFile source: 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.263995429.0000000003AEC000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.261043420.0000000000DBC000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000000.263166408.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.263264151.0000000003A81000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.261983479.000000000406E000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000000.261860544.0000000000E92000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.264379500.0000000004001000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.614250246.0000000000E92000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.255977838.0000000000D94000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: PO2345714382021.exe PID: 5880, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: PO456724392021.exe PID: 2208, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe, type: DROPPED
                          Source: Yara matchFile source: 8.0.PO456724392021.exe.e90000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.PO456724392021.exe.e90000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.0.PO2345714382021.exe.a0000.0.unpack, type: UNPACKEDPE
                          Yara detected HawkEye KeyloggerShow sources
                          Source: Yara matchFile source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.277723292.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.278079431.0000000002C06000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5908, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 5868, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
                          Source: Yara matchFile source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE
                          Yara detected MailPassViewShow sources
                          Source: Yara matchFile source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.280377660.0000000003B91000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5908, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 5868, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
                          Source: Yara matchFile source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE
                          Yara detected Matiex KeyloggerShow sources
                          Source: Yara matchFile source: 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000000.259667235.0000000000882000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: LOGO AND PICTURES.exe PID: 5872, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5908, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe, type: DROPPED
                          Source: Yara matchFile source: 6.0.LOGO AND PICTURES.exe.880000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE
                          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                          Tries to harvest and steal WLAN passwordsShow sources
                          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                          Tries to harvest and steal browser information (history, passwords, etc)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                          Tries to harvest and steal ftp login credentialsShow sources
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                          Tries to steal Mail credentials (via file access)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                          Yara detected WebBrowserPassView password recovery toolShow sources
                          Source: Yara matchFile source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.280377660.0000000003B91000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5908, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 5868, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
                          Source: Yara matchFile source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: PO456724392021.exe PID: 2208, type: MEMORY

                          Remote Access Functionality:

                          barindex
                          Detected HawkEye RatShow sources
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                          Source: Pictures.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                          Source: Pictures.exeString found in binary or memory: HawkEyeKeylogger
                          Source: Pictures.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                          Source: Pictures.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                          Source: Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                          Source: Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                          Source: Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                          Source: Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                          Source: Pictures.exe, 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmpString found in binary or memory: ar'&HawkEye_Keylogger_Execution_Confirmed_
                          Source: Pictures.exe, 00000007.00000002.278199316.0000000002C23000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger|9ar
                          Source: Pictures.exe, 00000007.00000002.278199316.0000000002C23000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger|9ar@~WA]sOS}SOZYQQSD666666666666666666666666666666666666666666666666|9ar@
                          Source: Pictures.exe.3.drString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                          Source: Pictures.exe.3.drString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                          Source: Pictures.exe.3.drString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                          Source: Pictures.exe.3.drString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                          Yara detected AgentTeslaShow sources
                          Source: Yara matchFile source: 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.263995429.0000000003AEC000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.261043420.0000000000DBC000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000000.263166408.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.263264151.0000000003A81000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.261983479.000000000406E000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000000.261860544.0000000000E92000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.264379500.0000000004001000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.614250246.0000000000E92000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.255977838.0000000000D94000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: PO2345714382021.exe PID: 5880, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: PO456724392021.exe PID: 2208, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe, type: DROPPED
                          Source: Yara matchFile source: 8.0.PO456724392021.exe.e90000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.PO456724392021.exe.e90000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.0.PO2345714382021.exe.a0000.0.unpack, type: UNPACKEDPE
                          Yara detected HawkEye KeyloggerShow sources
                          Source: Yara matchFile source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.277723292.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.278079431.0000000002C06000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5908, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 5868, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
                          Source: Yara matchFile source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE
                          Yara detected Matiex KeyloggerShow sources
                          Source: Yara matchFile source: 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000000.259667235.0000000000882000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: LOGO AND PICTURES.exe PID: 5872, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5908, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe, type: DROPPED
                          Source: Yara matchFile source: 6.0.LOGO AND PICTURES.exe.880000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04D30E9E bind,
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04D30A8E listen,
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04D30A50 listen,
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04D30E6B bind,

                          Mitre Att&ck Matrix

                          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                          Replication Through Removable Media1Windows Management Instrumentation231DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools21OS Credential Dumping2Peripheral Device Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                          Default AccountsNative API2Scheduled Task/Job1Access Token Manipulation1Deobfuscate/Decode Files or Information11Input Capture211File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                          Domain AccountsScheduled Task/Job1Logon Script (Windows)Process Injection112Obfuscated Files or Information41Credentials in Registry1System Information Discovery125SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                          Local AccountsAt (Windows)Logon Script (Mac)Scheduled Task/Job1Software Packing13NTDSQuery Registry1Distributed Component Object ModelInput Capture211Scheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
                          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSecurity Software Discovery261SSHClipboard Data1Data Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                          Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion16VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol123Jamming or Denial of ServiceAbuse Accessibility Features
                          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion16DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection112/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingSystem Network Configuration Discovery11Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 signatures2 2 Behavior Graph ID: 339931 Sample: hkaP5RPCGNDVq3Z.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for dropped file 2->62 64 19 other signatures 2->64 9 hkaP5RPCGNDVq3Z.exe 6 2->9         started        process3 file4 36 C:\Users\user\AppData\Local\Temp\tmpEED.tmp, XML 9->36 dropped 38 C:\Users\user\AppData\Roaming\jcKKBKdU.exe, PE32 9->38 dropped 88 Injects a PE file into a foreign processes 9->88 13 hkaP5RPCGNDVq3Z.exe 5 9->13         started        16 schtasks.exe 1 9->16         started        signatures5 process6 file7 40 C:\Users\user\AppData\Local\...\Pictures.exe, PE32 13->40 dropped 42 C:\Users\user\AppData\...\PO2345714382021.exe, PE32 13->42 dropped 44 C:\Users\user\...\LOGO AND PICTURES.exe, PE32 13->44 dropped 18 PO2345714382021.exe 13->18         started        22 PO456724392021.exe 13->22         started        24 Pictures.exe 15 6 13->24         started        26 LOGO AND PICTURES.exe 14 5 13->26         started        28 conhost.exe 16->28         started        process8 dnsIp9 66 Antivirus detection for dropped file 18->66 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->68 70 Tries to steal Mail credentials (via file access) 18->70 86 2 other signatures 18->86 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->72 74 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->74 76 Installs a global keyboard hook 22->76 46 169.241.9.0.in-addr.arpa 24->46 48 whatismyipaddress.com 104.16.155.36, 49728, 80 CLOUDFLARENETUS United States 24->48 50 192.168.2.1 unknown unknown 24->50 78 Machine Learning detection for dropped file 24->78 80 Changes the view of files in windows explorer (hidden files and folders) 24->80 30 dw20.exe 24->30         started        52 checkip.dyndns.org 26->52 54 smtp.privateemail.com 199.193.7.228, 49739, 49741, 49742 NAMECHEAP-NETUS United States 26->54 56 2 other IPs or domains 26->56 82 Tries to harvest and steal browser information (history, passwords, etc) 26->82 84 Tries to harvest and steal WLAN passwords 26->84 32 netsh.exe 26->32         started        signatures10 process11 process12 34 conhost.exe 32->34         started       

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          No Antivirus matches

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe100%AviraTR/Redcap.jajcu
                          C:\Users\user\AppData\Local\Temp\Pictures.exe100%AviraTR/AD.MExecute.lzrac
                          C:\Users\user\AppData\Local\Temp\Pictures.exe100%AviraSPR/Tool.MailPassView.473
                          C:\Users\user\AppData\Local\Temp\PO2345714382021.exe100%AviraTR/Spy.Gen8
                          C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\Pictures.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\PO2345714382021.exe100%Joe Sandbox ML

                          Unpacked PE Files

                          SourceDetectionScannerLabelLinkDownload
                          7.0.Pictures.exe.470000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                          7.0.Pictures.exe.470000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                          8.0.PO456724392021.exe.e90000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                          7.2.Pictures.exe.470000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                          7.2.Pictures.exe.470000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                          3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack100%AviraTR/Redcap.jajcuDownload File
                          3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                          3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                          3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                          6.0.LOGO AND PICTURES.exe.880000.0.unpack100%AviraTR/Redcap.jajcuDownload File
                          8.2.PO456724392021.exe.e90000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                          9.0.PO2345714382021.exe.a0000.0.unpack100%AviraHEUR/AGEN.1138205Download File

                          Domains

                          SourceDetectionScannerLabelLink
                          freegeoip.app1%VirustotalBrowse
                          checkip.dyndns.com0%VirustotalBrowse
                          169.241.9.0.in-addr.arpa0%VirustotalBrowse
                          checkip.dyndns.org0%VirustotalBrowse

                          URLs

                          SourceDetectionScannerLabelLink
                          http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                          http://YGApDP.com0%Avira URL Cloudsafe
                          http://ocsp.sectigo.com00%URL Reputationsafe
                          http://ocsp.sectigo.com00%URL Reputationsafe
                          http://ocsp.sectigo.com00%URL Reputationsafe
                          http://www.tiro.com0%URL Reputationsafe
                          http://www.tiro.com0%URL Reputationsafe
                          http://www.tiro.com0%URL Reputationsafe
                          http://ns.adobe.c/g0%URL Reputationsafe
                          http://ns.adobe.c/g0%URL Reputationsafe
                          http://ns.adobe.c/g0%URL Reputationsafe
                          http://www.goodfont.co.kr0%URL Reputationsafe
                          http://www.goodfont.co.kr0%URL Reputationsafe
                          http://www.goodfont.co.kr0%URL Reputationsafe
                          http://www.sajatypeworks.com0%URL Reputationsafe
                          http://www.sajatypeworks.com0%URL Reputationsafe
                          http://www.sajatypeworks.com0%URL Reputationsafe
                          http://www.typography.netD0%URL Reputationsafe
                          http://www.typography.netD0%URL Reputationsafe
                          http://www.typography.netD0%URL Reputationsafe
                          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                          http://fontfabrik.com0%URL Reputationsafe
                          http://fontfabrik.com0%URL Reputationsafe
                          http://fontfabrik.com0%URL Reputationsafe
                          http://checkip.dyndns.org/0%Avira URL Cloudsafe
                          http://crl.co0%Avira URL Cloudsafe
                          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                          https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                          https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                          https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                          http://www.sandoll.co.kr0%URL Reputationsafe
                          http://www.sandoll.co.kr0%URL Reputationsafe
                          http://www.sandoll.co.kr0%URL Reputationsafe
                          http://www.urwpp.deDPlease0%URL Reputationsafe
                          http://www.urwpp.deDPlease0%URL Reputationsafe
                          http://www.urwpp.deDPlease0%URL Reputationsafe
                          http://www.zhongyicts.com.cn0%URL Reputationsafe
                          http://www.zhongyicts.com.cn0%URL Reputationsafe
                          http://www.zhongyicts.com.cn0%URL Reputationsafe
                          http://www.sakkal.com0%URL Reputationsafe
                          http://www.sakkal.com0%URL Reputationsafe
                          http://www.sakkal.com0%URL Reputationsafe
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                          http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                          http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                          http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                          http://DynDns.comDynDNS0%URL Reputationsafe
                          http://DynDns.comDynDNS0%URL Reputationsafe
                          http://DynDns.comDynDNS0%URL Reputationsafe
                          https://sectigo.com/CPS00%URL Reputationsafe
                          https://sectigo.com/CPS00%URL Reputationsafe
                          https://sectigo.com/CPS00%URL Reputationsafe
                          http://ns.adobe.cobj0%URL Reputationsafe
                          http://ns.adobe.cobj0%URL Reputationsafe
                          http://ns.adobe.cobj0%URL Reputationsafe
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                          http://ocsp.sect0%Avira URL Cloudsafe
                          https://api.ipify.org%$0%Avira URL Cloudsafe
                          http://www.carterandcone.coml0%URL Reputationsafe
                          http://www.carterandcone.coml0%URL Reputationsafe
                          http://www.carterandcone.coml0%URL Reputationsafe
                          http://YfWA3aJjc76ztEimE.com0%Avira URL Cloudsafe
                          http://www.founder.com.cn/cn0%URL Reputationsafe
                          http://www.founder.com.cn/cn0%URL Reputationsafe
                          http://www.founder.com.cn/cn0%URL Reputationsafe
                          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                          http://ns.ado/10%URL Reputationsafe
                          http://ns.ado/10%URL Reputationsafe
                          http://ns.ado/10%URL Reputationsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          whatismyipaddress.com
                          104.16.155.36
                          truefalse
                            high
                            freegeoip.app
                            104.21.19.200
                            truefalseunknown
                            smtp.privateemail.com
                            199.193.7.228
                            truefalse
                              high
                              checkip.dyndns.com
                              162.88.193.70
                              truefalseunknown
                              169.241.9.0.in-addr.arpa
                              unknown
                              unknowntrueunknown
                              checkip.dyndns.org
                              unknown
                              unknowntrueunknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://checkip.dyndns.org/false
                              • Avira URL Cloud: safe
                              unknown
                              http://whatismyipaddress.com/false
                                high
                                http://YfWA3aJjc76ztEimE.comtrue
                                • Avira URL Cloud: safe
                                unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://127.0.0.1:HTTP/1.1PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                low
                                http://www.fontbureau.com/designersGhkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.fontbureau.com/designers/?hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                    high
                                    http://www.founder.com.cn/cn/bThehkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://YGApDP.comPO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://ocsp.sectigo.com0LOGO AND PICTURES.exe, 00000006.00000003.367676497.0000000006550000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.627273721.00000000065E3000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers?hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.tiro.comPictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.com/designersPictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                        high
                                        http://ns.adobe.c/gLOGO AND PICTURES.exe, 00000006.00000003.432984410.0000000008D31000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.goodfont.co.krhkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.sajatypeworks.comhkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.typography.netDhkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.founder.com.cn/cn/cThehkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmhkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://fontfabrik.comhkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://crl.coLOGO AND PICTURES.exe, 00000006.00000003.367655934.00000000065A3000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://whatismyipaddress.com/-hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Pictures.exe.3.drfalse
                                          high
                                          http://www.galapagosdesign.com/DPleasehkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://api.ipify.org%GETMozilla/5.0PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          low
                                          https://login.yahoo.com/config/loginPictures.exefalse
                                            high
                                            http://www.fonts.comhkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                              high
                                              http://www.sandoll.co.krhkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.site.com/logs.phpPictures.exe, 00000007.00000002.278199316.0000000002C23000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.urwpp.deDPleasehkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.nirsoft.net/Pictures.exe.3.drfalse
                                                  high
                                                  http://www.zhongyicts.com.cnhkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://www.sakkal.comhkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphkaP5RPCGNDVq3Z.exe, 00000003.00000003.263995429.0000000003AEC000.00000004.00000001.sdmp, PO456724392021.exe, PO2345714382021.exe, 00000009.00000000.263166408.00000000000A2000.00000002.00020000.sdmp, PO2345714382021.exe.3.drfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#LOGO AND PICTURES.exe, 00000006.00000003.367676497.0000000006550000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.627273721.00000000065E3000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.apache.org/licenses/LICENSE-2.0hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                                      high
                                                      http://www.fontbureau.comhkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                                        high
                                                        http://DynDns.comDynDNSPO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://sectigo.com/CPS0LOGO AND PICTURES.exe, 00000006.00000003.367676497.0000000006550000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.627273721.00000000065E3000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://ns.adobe.cobjLOGO AND PICTURES.exe, 00000006.00000003.432984410.0000000008D31000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://ocsp.sectLOGO AND PICTURES.exe, 00000006.00000003.367705732.000000000656E000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://whatismyipaddress.comPictures.exe, 00000007.00000002.277841679.0000000002BDD000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://smtp.privateemail.comPO456724392021.exe, 00000008.00000002.624703526.00000000035F5000.00000004.00000001.sdmpfalse
                                                            high
                                                            https://api.ipify.org%$PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            low
                                                            http://www.carterandcone.comlhkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNhkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                                              high
                                                              http://www.founder.com.cn/cnhkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.fontbureau.com/designers/frere-jones.htmlhkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                                                high
                                                                http://www.jiyu-kobo.co.jp/hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.fontbureau.com/designers8hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpfalse
                                                                  high
                                                                  http://ns.ado/1LOGO AND PICTURES.exe, 00000006.00000003.432984410.0000000008D31000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  104.16.155.36
                                                                  unknownUnited States
                                                                  13335CLOUDFLARENETUSfalse
                                                                  162.88.193.70
                                                                  unknownUnited States
                                                                  33517DYNDNSUSfalse
                                                                  104.21.19.200
                                                                  unknownUnited States
                                                                  13335CLOUDFLARENETUSfalse
                                                                  199.193.7.228
                                                                  unknownUnited States
                                                                  22612NAMECHEAP-NETUSfalse

                                                                  Private

                                                                  IP
                                                                  192.168.2.1

                                                                  General Information

                                                                  Joe Sandbox Version:31.0.0 Red Diamond
                                                                  Analysis ID:339931
                                                                  Start date:14.01.2021
                                                                  Start time:21:04:39
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 15m 54s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:light
                                                                  Sample file name:hkaP5RPCGNDVq3Z.exe
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:40
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@19/12@38/5
                                                                  EGA Information:Failed
                                                                  HDC Information:
                                                                  • Successful, ratio: 1% (good quality ratio 0.3%)
                                                                  • Quality average: 22.3%
                                                                  • Quality standard deviation: 28.7%
                                                                  HCA Information:
                                                                  • Successful, ratio: 99%
                                                                  • Number of executed functions: 0
                                                                  • Number of non-executed functions: 0
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  • Found application associated with file extension: .exe
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                                                  • TCP Packets have been reduced to 100
                                                                  • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.193.48, 168.61.161.212, 23.210.248.85, 51.104.144.132, 8.241.122.126, 8.241.89.254, 8.238.27.126, 92.122.213.194, 92.122.213.247, 20.54.26.129, 51.11.168.160, 52.155.217.156
                                                                  • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  21:05:36API Interceptor2x Sleep call for process: hkaP5RPCGNDVq3Z.exe modified
                                                                  21:05:57API Interceptor3x Sleep call for process: Pictures.exe modified
                                                                  21:06:00API Interceptor1x Sleep call for process: dw20.exe modified
                                                                  21:06:02API Interceptor325x Sleep call for process: PO2345714382021.exe modified
                                                                  21:06:07API Interceptor927x Sleep call for process: PO456724392021.exe modified
                                                                  21:06:11API Interceptor1077x Sleep call for process: LOGO AND PICTURES.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  104.16.155.36NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  INQUIRY.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  Prueba de pago.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  jSMd8npgmU.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  9vdouqRTh3.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  fyxC4Hgs3s.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  yk94P18VKp.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  oLHQIQAI3N.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  WuGzF7ZJ7P.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  NXmokFkh3R.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  qiGQsdRM57.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  NSSPH41vE5.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  2v7Vtqfo81.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/
                                                                  355OckuTD3.exeGet hashmaliciousBrowse
                                                                  • whatismyipaddress.com/

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  freegeoip.appScan document.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  H56qL3lu0k.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  pfyoq7q31V.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  UthdssT6pm.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  PI0jYjw6X2.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  SecuriteInfo.com.Trojan.PackedNET.505.30555.exeGet hashmaliciousBrowse
                                                                  • 172.67.188.154
                                                                  B6LNCKjOGt5EmFQ.exeGet hashmaliciousBrowse
                                                                  • 172.67.188.154
                                                                  IMG-0641.docGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  a5T7dTsG4U.exeGet hashmaliciousBrowse
                                                                  • 172.67.188.154
                                                                  NKP210102-NIT-SC2.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  80Iki3DsHA.exeGet hashmaliciousBrowse
                                                                  • 172.67.188.154
                                                                  QPR-1064.pdf.exeGet hashmaliciousBrowse
                                                                  • 172.67.188.154
                                                                  IMG_2021_01_13_1_RFQ_PO_1832938.docGet hashmaliciousBrowse
                                                                  • 104.28.5.151
                                                                  IMG_2021_01_13_1_RFQ_PO_1832938.exeGet hashmaliciousBrowse
                                                                  • 104.28.4.151
                                                                  09000000000000h.exeGet hashmaliciousBrowse
                                                                  • 172.67.188.154
                                                                  PO-5042.exeGet hashmaliciousBrowse
                                                                  • 104.28.4.151
                                                                  onYLLDPXswyCVZu.exeGet hashmaliciousBrowse
                                                                  • 104.28.4.151
                                                                  PO-75013.exeGet hashmaliciousBrowse
                                                                  • 104.28.4.151
                                                                  ZwFwevQtlv.exeGet hashmaliciousBrowse
                                                                  • 172.67.188.154
                                                                  ssDV3d9O9o.exeGet hashmaliciousBrowse
                                                                  • 172.67.188.154
                                                                  whatismyipaddress.comB6LNCKjOGt5EmFQ.exeGet hashmaliciousBrowse
                                                                  • 104.16.154.36
                                                                  NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                                  • 104.16.155.36
                                                                  JkhR5oeRHA.exeGet hashmaliciousBrowse
                                                                  • 66.171.248.178
                                                                  PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                  • 104.16.155.36
                                                                  BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                                  • 104.16.154.36
                                                                  INQUIRY.exeGet hashmaliciousBrowse
                                                                  • 104.16.154.36
                                                                  Prueba de pago.exeGet hashmaliciousBrowse
                                                                  • 104.16.155.36
                                                                  879mgDuqEE.jarGet hashmaliciousBrowse
                                                                  • 66.171.248.178
                                                                  remittance1111.jarGet hashmaliciousBrowse
                                                                  • 66.171.248.178
                                                                  879mgDuqEE.jarGet hashmaliciousBrowse
                                                                  • 66.171.248.178
                                                                  remittance1111.jarGet hashmaliciousBrowse
                                                                  • 66.171.248.178
                                                                  https://my-alliances.co.uk/Get hashmaliciousBrowse
                                                                  • 66.171.248.178
                                                                  c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                  • 104.16.154.36
                                                                  mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                                  • 104.16.155.36
                                                                  6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                  • 104.16.155.36
                                                                  jSMd8npgmU.exeGet hashmaliciousBrowse
                                                                  • 104.16.155.36
                                                                  khJdbt0clZ.exeGet hashmaliciousBrowse
                                                                  • 104.16.154.36
                                                                  ZMOKwXqVHO.exeGet hashmaliciousBrowse
                                                                  • 104.16.154.36
                                                                  5Av43Q5IXd.exeGet hashmaliciousBrowse
                                                                  • 104.16.154.36
                                                                  8oaZfXDstn.exeGet hashmaliciousBrowse
                                                                  • 104.16.154.36

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  CLOUDFLARENETUSG4Q6P4rcer.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  MBCBeDON27.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  ouyPcSPwll.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  fatHvt8YhT.exeGet hashmaliciousBrowse
                                                                  • 104.27.160.102
                                                                  Scan document.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  H56qL3lu0k.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  pfyoq7q31V.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  ACH PAYMENT REMITTANCE ADVICE.xlsxGet hashmaliciousBrowse
                                                                  • 104.20.185.68
                                                                  UthdssT6pm.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  PI0jYjw6X2.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  Voicemail wav.htmlGet hashmaliciousBrowse
                                                                  • 104.16.18.94
                                                                  t1XJOlYvhExZyrm.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  937 2912 2020 2_90961070.docGet hashmaliciousBrowse
                                                                  • 172.67.162.234
                                                                  equinix-customer-portal.apkGet hashmaliciousBrowse
                                                                  • 104.22.11.83
                                                                  PRS TT copy_pdf.exeGet hashmaliciousBrowse
                                                                  • 66.235.200.3
                                                                  Archivo_2020.docGet hashmaliciousBrowse
                                                                  • 172.67.162.234
                                                                  SecuriteInfo.com.Trojan.PackedNET.505.30555.exeGet hashmaliciousBrowse
                                                                  • 172.67.188.154
                                                                  Copy_#_824.xlsGet hashmaliciousBrowse
                                                                  • 172.67.189.45
                                                                  DHL e-invoice.exeGet hashmaliciousBrowse
                                                                  • 172.67.177.142
                                                                  Copy_#_824.xlsGet hashmaliciousBrowse
                                                                  • 172.67.189.45
                                                                  CLOUDFLARENETUSG4Q6P4rcer.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  MBCBeDON27.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  ouyPcSPwll.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  fatHvt8YhT.exeGet hashmaliciousBrowse
                                                                  • 104.27.160.102
                                                                  Scan document.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  H56qL3lu0k.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  pfyoq7q31V.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  ACH PAYMENT REMITTANCE ADVICE.xlsxGet hashmaliciousBrowse
                                                                  • 104.20.185.68
                                                                  UthdssT6pm.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  PI0jYjw6X2.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  Voicemail wav.htmlGet hashmaliciousBrowse
                                                                  • 104.16.18.94
                                                                  t1XJOlYvhExZyrm.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  937 2912 2020 2_90961070.docGet hashmaliciousBrowse
                                                                  • 172.67.162.234
                                                                  equinix-customer-portal.apkGet hashmaliciousBrowse
                                                                  • 104.22.11.83
                                                                  PRS TT copy_pdf.exeGet hashmaliciousBrowse
                                                                  • 66.235.200.3
                                                                  Archivo_2020.docGet hashmaliciousBrowse
                                                                  • 172.67.162.234
                                                                  SecuriteInfo.com.Trojan.PackedNET.505.30555.exeGet hashmaliciousBrowse
                                                                  • 172.67.188.154
                                                                  Copy_#_824.xlsGet hashmaliciousBrowse
                                                                  • 172.67.189.45
                                                                  DHL e-invoice.exeGet hashmaliciousBrowse
                                                                  • 172.67.177.142
                                                                  Copy_#_824.xlsGet hashmaliciousBrowse
                                                                  • 172.67.189.45
                                                                  DYNDNSUSj2MLUi56gM.exeGet hashmaliciousBrowse
                                                                  • 131.186.113.70
                                                                  Scan document.exeGet hashmaliciousBrowse
                                                                  • 131.186.113.70
                                                                  H56qL3lu0k.exeGet hashmaliciousBrowse
                                                                  • 216.146.43.71
                                                                  pfyoq7q31V.exeGet hashmaliciousBrowse
                                                                  • 216.146.43.71
                                                                  UthdssT6pm.exeGet hashmaliciousBrowse
                                                                  • 216.146.43.71
                                                                  PI0jYjw6X2.exeGet hashmaliciousBrowse
                                                                  • 216.146.43.71
                                                                  SecuriteInfo.com.Trojan.PackedNET.505.30555.exeGet hashmaliciousBrowse
                                                                  • 131.186.113.70
                                                                  B6LNCKjOGt5EmFQ.exeGet hashmaliciousBrowse
                                                                  • 131.186.161.70
                                                                  IMG-0641.docGet hashmaliciousBrowse
                                                                  • 216.146.43.70
                                                                  a5T7dTsG4U.exeGet hashmaliciousBrowse
                                                                  • 162.88.193.70
                                                                  NKP210102-NIT-SC2.exeGet hashmaliciousBrowse
                                                                  • 162.88.193.70
                                                                  80Iki3DsHA.exeGet hashmaliciousBrowse
                                                                  • 162.88.193.70
                                                                  QPR-1064.pdf.exeGet hashmaliciousBrowse
                                                                  • 216.146.43.71
                                                                  IMG_2021_01_13_1_RFQ_PO_1832938.docGet hashmaliciousBrowse
                                                                  • 131.186.113.70
                                                                  IMG_2021_01_13_1_RFQ_PO_1832938.exeGet hashmaliciousBrowse
                                                                  • 216.146.43.71
                                                                  09000000000000h.exeGet hashmaliciousBrowse
                                                                  • 216.146.43.70
                                                                  PO-5042.exeGet hashmaliciousBrowse
                                                                  • 216.146.43.71
                                                                  onYLLDPXswyCVZu.exeGet hashmaliciousBrowse
                                                                  • 216.146.43.70
                                                                  PO-75013.exeGet hashmaliciousBrowse
                                                                  • 162.88.193.70
                                                                  ZwFwevQtlv.exeGet hashmaliciousBrowse
                                                                  • 216.146.43.71

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  54328bd36c14bd82ddaa0c04b25ed9adj2MLUi56gM.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  Scan document.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  H56qL3lu0k.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  pfyoq7q31V.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  UthdssT6pm.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  PI0jYjw6X2.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  SecuriteInfo.com.Trojan.PackedNET.505.30555.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  B6LNCKjOGt5EmFQ.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  a5T7dTsG4U.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  NKP210102-NIT-SC2.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  80Iki3DsHA.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  SecuriteInfo.com.Trojan.GenericKD.36094879.31571.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  QPR-1064.pdf.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  IMG_2021_01_13_1_RFQ_PO_1832938.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  aNmkT4KLJX.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  09000000000000h.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  PO-5042.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  Geno_Quotation,pdf.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  onYLLDPXswyCVZu.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  PO-75013.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeB6LNCKjOGt5EmFQ.exeGet hashmaliciousBrowse
                                                                    C:\Users\user\AppData\Local\Temp\Pictures.exeB6LNCKjOGt5EmFQ.exeGet hashmaliciousBrowse
                                                                      C:\Users\user\AppData\Local\Temp\PO2345714382021.exeB6LNCKjOGt5EmFQ.exeGet hashmaliciousBrowse

                                                                        Created / dropped Files

                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_pictures.exe_c756fdb369d16caee6eb4c4fc55eace42746ab1_00000000_18aec46c\Report.wer
                                                                        Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):16928
                                                                        Entropy (8bit):3.753019809959852
                                                                        Encrypted:false
                                                                        SSDEEP:192:6/wSaMVvaKsn9fbeN9M2v1zzvSXk0ZKjBIcQry/u7sJS274ItD:CwSjaEdvh/sy/u7sJX4ItD
                                                                        MD5:E233678BD09FFCBC57BBFF192C4B065F
                                                                        SHA1:6EF6152294B9A1E82717DF8C20424651D446AA3F
                                                                        SHA-256:82D18EC26116FD9ECB7FB03A8FC744210A39FCC5F8036070BA2BECF26DB1274D
                                                                        SHA-512:19F8973FD7D4E86F26DC5662E49C0EAD7DE7BEB091297B9C680E4408E4C0631C75FBDDA6BA8541BF91F210DAF5CC4DE9BDF4E9B254035AAC814EA01151920312
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.1.6.0.7.5.8.6.1.8.1.9.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.5.1.6.0.7.5.9.0.2.4.4.4.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.7.2.3.9.2.1.-.5.c.5.c.-.4.0.6.a.-.b.e.6.4.-.5.4.2.a.1.c.3.7.e.3.c.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.h.u.l.l.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.e.c.-.0.0.0.1.-.0.0.1.7.-.1.0.2.3.-.7.b.1.9.f.c.e.a.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.6.c.c.9.4.0.d.7.a.0.d.3.0.a.e.2.8.3.f.a.7.7.b.e.8.f.e.6.4.d.3.0.0.0.0.0.0.0.0.!.0.0.0.0.4.1.7.1.9.0.0.e.4.d.1.2.9.1.c.7.a.7.c.d.b.3.3.a.d.c.6.5.5.e.c.b.1.2.3.3.4.a.4.f.!.P.i.c.t.u.r.e.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.2././.0.9.:.1.0.:.5.1.:.3.2.!.0.!.P.i.c.t.u.r.e.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD58.tmp.WERInternalMetadata.xml
                                                                        Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):7614
                                                                        Entropy (8bit):3.689808400173829
                                                                        Encrypted:false
                                                                        SSDEEP:192:Rrl7r3GLNitb6I6YBww69ZgmfZ61SNCp1j51fyhm:RrlsNih6I6YBH69ZgmfQ1S0jbf9
                                                                        MD5:4F937BBAEC18565798C00DFF15DA3B14
                                                                        SHA1:0FD02011DF2044F794562CC1BF42C4744FCC7D54
                                                                        SHA-256:225C6EF471967C7C2395DD52C976AE40E7889B6969E1C2D3E44BA02D2CCA25D1
                                                                        SHA-512:A94446C89F9D793843EF981AB0120CDC8D3FDD96456A47649C5F751D02DDB2C5DFAE863278B5F4E01AA8B25BAD4C9906657BB127D3F8F981A81F1E1CE00C320D
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.6.8.<./.P.i.d.>.......
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE53.tmp.xml
                                                                        Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):4674
                                                                        Entropy (8bit):4.439990671486078
                                                                        Encrypted:false
                                                                        SSDEEP:48:cvIwSD8zs4BJgtWI97zWSC8B+WK8fm8M4JFKC5Flo+q8v1o/xrvVgd:uITfEQCSNZ/JFKYoKOJrvVgd
                                                                        MD5:83CAEE268D6E33CF1E020A1325B97FFE
                                                                        SHA1:BAD950E57B70418E799339A68D2EE496AEF2CB75
                                                                        SHA-256:4F50BC5E24E16D4850FE954DCC3E4EEF8B1D11284BB2B042BE31B1F59980E910
                                                                        SHA-512:8446CB3A7B8D1592FFF947941599B8A5C774E667D441BB8649211DC52B02C735FCF10B688B80FEAA065168A2B43F830E3A7BCEEE9C95492AC979728EF2F54876
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="817336" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hkaP5RPCGNDVq3Z.exe.log
                                                                        Process:C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1216
                                                                        Entropy (8bit):5.355304211458859
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                        C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe
                                                                        Process:C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):456192
                                                                        Entropy (8bit):5.4162986566993
                                                                        Encrypted:false
                                                                        SSDEEP:3072:gbG/+hpzWouj0ce9wDRlZg80CEZU8BVfCXEMRWTjwNs5Pu:gC/+7Wouj7e6DRlZjYfCXEsWTj+qu
                                                                        MD5:D9001138C5119D936B70BF77E136AFBE
                                                                        SHA1:CFA2DBFF8527715EAAD00E91BD8955A8FFFC1224
                                                                        SHA-256:9AE5EF3FD4FEEA105C1ED3F1E69FD4FA328E8F29F1937097280F7EEE7F8D749E
                                                                        SHA-512:0187EC1EDE0022DAA4021A72D871CA0B7694B312BDBA1C31BF3C0667CE0255C51E9880170A4B5226E63C2BF48F53B8071F12B08C106B6B82EB1D5389C3F9D576
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Joe Sandbox View:
                                                                        • Filename: B6LNCKjOGt5EmFQ.exe, Detection: malicious, Browse
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_................................. ... ....@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......H...Xy..........@'...h.....................................................................................................................................................................RNK\ZJO@F.EYC.G.IOYKJ._R_CEESEPPlj}ez|"hzfSn`ssdh~DNwq//M\`tdv`|..;.....4......Ewqus._/.....V>..%9%(:&##b?`LLJN.56(,*:.}.2=4lwY_.............................................................................................................A.{YOLI..qAL.tTDY^..v^NY
                                                                        C:\Users\user\AppData\Local\Temp\PO2345714382021.exe
                                                                        Process:C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:modified
                                                                        Size (bytes):220672
                                                                        Entropy (8bit):6.060576428712888
                                                                        Encrypted:false
                                                                        SSDEEP:3072:zVQsV4phvec6kzCuJ5ufEUJdYi68Nl2xQzMfNlpmgVQoKPMXT3QECAJrYULCqv:zN49CaUXxN0AWNvmHoKPW3B0U
                                                                        MD5:9B79DE8E3AD21F14E71E55CFA6AE4727
                                                                        SHA1:3C2066345874FEBAFE281BBDE952D4F32D2ED53A
                                                                        SHA-256:56BD25ACDB97CE17F8351B926C48A4F63E348C40F6C5913219B0745D99F6B31D
                                                                        SHA-512:F922BE9228BAA1DAB85A5CFACFAFBB6E8C919009BB843B6CDBA0C2E24F6ABFCBE26417046BE248CCB41F820111633FDEE7C6EA5865A2FBCC3BCF22C52A7208E6
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Joe Sandbox View:
                                                                        • Filename: B6LNCKjOGt5EmFQ.exe, Detection: malicious, Browse
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y.._.................V...........u... ........@.. ....................................@..................................t..S.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................t......H........................................................................(....*..(....*.s.........s.........s.........s.........*...0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0............+......,........,........,.+.+...(....(....*...0..(.........+......,........,........,.+.+..(....*.0..,.......
                                                                        C:\Users\user\AppData\Local\Temp\Pictures.exe
                                                                        Process:C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):533504
                                                                        Entropy (8bit):6.503670066564474
                                                                        Encrypted:false
                                                                        SSDEEP:6144:wuHqCVjDbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9u:/jDQtqB5urTIoYWBQk1E+VF9mOx90i
                                                                        MD5:25146E9C5ECD498DD17BA01E6CFAEB24
                                                                        SHA1:4171900E4D1291C7A7CDB33ADC655ECB12334A4F
                                                                        SHA-256:5207F3D079A52017E7977296C9EBA782D3D5EAE5ADEC94FA38ACDD88C184496D
                                                                        SHA-512:18374C6619B5F3D310DB43E5F81DB1333BDC9DC4086910FE2724A406D445CCBF5B16463B9341FBE718B2AAE9E929A2302655F3964EB64B47F2D80418B46E478F
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, Author: Joe Security
                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, Author: Joe Security
                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, Author: Joe Security
                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, Author: JPCERT/CC Incident Response Group
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Joe Sandbox View:
                                                                        • Filename: B6LNCKjOGt5EmFQ.exe, Detection: malicious, Browse
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4.._.....................4........... ........@.. ....................................@.....................................O.... ...2...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....2... ...2..................@..@.reloc.......`......."..............@..B........................H.......0}.................X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......
                                                                        C:\Users\user\AppData\Local\Temp\tmpEED.tmp
                                                                        Process:C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1641
                                                                        Entropy (8bit):5.193127845558997
                                                                        Encrypted:false
                                                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBT0tn:cbh47TlNQ//rydbz9I3YODOLNdq39y
                                                                        MD5:19005E6AE6D13419E24E6B44A321C2FF
                                                                        SHA1:D5C8EE6D2B854B2A3E725BDE8928DD1AEB143E74
                                                                        SHA-256:515FB894DE6358CC827D0230808D5040717B78DF6925D6ADE7C3A2C722150D77
                                                                        SHA-512:F5C9A12976C26D75988977FA2EECB4570585713001A4F4AB4A5A02F6975B17FE79D0155F97181224B8A250E71DE2A5524FF9683F5142F2A421A46A9EBF95BCDD
                                                                        Malicious:true
                                                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                        C:\Users\user\AppData\Roaming\jcKKBKdU.exe
                                                                        Process:C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1664000
                                                                        Entropy (8bit):7.980218078211509
                                                                        Encrypted:false
                                                                        SSDEEP:24576:xk2c3F4utgvW/OG1QjTh336I4vlsevTPvxt/mrknakwowZqDpns72zG3xzevGQSy:zTW/VmT9Klveevr/m76u3xzMTQz
                                                                        MD5:07556E1AF1F43F7DD42D32D188187E4A
                                                                        SHA1:42110C04869726694A2537E05F987039CD829AC0
                                                                        SHA-256:A6FC5CC4331EE5A9BEE82B3FDE7BDBCE1C1DC5A89C8860B682C948F4B9ACC9CD
                                                                        SHA-512:433457CB0E908BC673E952639F2DF8DA6991F2AED7E9C2CF98BCC677452BB8C5D92CCF8267ED7CA38227122FFCC6633BF40A39F2B1EAAF4262221E45899F094D
                                                                        Malicious:false
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^.`.....................D.......=... ........@.. ....................................@.................................H=..S....@...B........................................................................... ............... ..H............text........ ...................... ..`.rsrc....B...@...B... ..............@..@.reloc...............b..............@..B.................=......H...........Dv.............0F............................................{....*"..}....*....0..G........s....}......}.....s....}......}.....(........sF...}.....(......(.....*.&..(.....*...0............r...p(.........8..........(j.......,{........%.r...p.%.r...p..o...........i.Y...............,A.s%......s..........o"..........o$........o .....(......o............X....i......:`....(.............o....(l.......*..................*..0..V.........{....o......{....o........[...X...
                                                                        C:\Users\user\AppData\Roaming\pid.txt
                                                                        Process:C:\Users\user\AppData\Local\Temp\Pictures.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):4
                                                                        Entropy (8bit):1.5
                                                                        Encrypted:false
                                                                        SSDEEP:3:IR:IR
                                                                        MD5:C41DD99A69DF04044AA4E33ECE9C9249
                                                                        SHA1:F09B7705E4445F0733BAD91F27BB23B9D7888E50
                                                                        SHA-256:7246D3094B003DBEB778739262E4980834DE5ABADC780D9D89432AE9017B92A6
                                                                        SHA-512:237B3F6DBF56F2661B242965358A6CB6CE570A2AACA6BC6F6E70FB580C7C50E72D1989736D8C3B8175C9F3E0FDC13915901823F98FA310B4726AF98F7303B4C1
                                                                        Malicious:false
                                                                        Preview: 5868
                                                                        C:\Users\user\AppData\Roaming\pidloc.txt
                                                                        Process:C:\Users\user\AppData\Local\Temp\Pictures.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):46
                                                                        Entropy (8bit):4.363038521594966
                                                                        Encrypted:false
                                                                        SSDEEP:3:oNWXp5cViE2J5xAIEN:oNWXp+N23fEN
                                                                        MD5:46833127CC4C64CFB8650EE775DC5D9D
                                                                        SHA1:F2B43FDAEAC18E55085436E55D9C30E2FD240386
                                                                        SHA-256:6F0942DBA73C781461E1E322E13537AB0F0EBE49D8C3DBD6CF9C23FC91404CBC
                                                                        SHA-512:FDDDBBEB26897D349E74B5E8DC9D0A256692378494E87E6F356AAE188C16C5481030B6F5545613FF2A4D5A5F775B85DE8DED3D347E15E404FD187EFC630783BA
                                                                        Malicious:false
                                                                        Preview: C:\Users\user\AppData\Local\Temp\Pictures.exe
                                                                        C:\Users\user\Documents\Matiex Keylogger\Screenshot.png
                                                                        Process:C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe
                                                                        File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                        Category:dropped
                                                                        Size (bytes):6776290
                                                                        Entropy (8bit):7.949521145569992
                                                                        Encrypted:false
                                                                        SSDEEP:196608:HsjNvNsjNvNsjNvNsjNnsjNnsjNnYrZzsjNu:glalalayyFQ
                                                                        MD5:A757F6DDA15D9C516DEDBCCF89DBA795
                                                                        SHA1:EA8A802DAE266599C0C6012240179D55660C715E
                                                                        SHA-256:B914C51AED308A3B35DEDEEA326444597D2BB07E5F681CC37FD2F5BE3C0D8DA2
                                                                        SHA-512:2CEA3A0577EACFC9DE81568FD57890DC1B7E7E7780DEC861D4CF025BB8DBB6574D94DA359C8329303CC8A1E27E9567B9E985E129C98A5B6374D957A47AC43A00
                                                                        Malicious:false
                                                                        Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...mEy.....4...K.t......Q)j.Dc...%?.M. ..b...K..Q.{...ST,....D.K..a...w.;...Z3k...>...<.g.5..;..^ss.=........m....F....F.6....eO+c..*6~z..&.M.Q..g._6..b6}fL.G.R...l.C;".|....6~.e.]......j.\..m{.....D..z...D.1.2.&6.r.P..4....Au.d~..z....kT...+...H|....r...e......<.,.O<.1....s.z....(.jNh.....7Vd.......6......_g..8...D...........>...+x.Xf..5.e?,6.F.D{.../.6.en..#.b{.`...&.p.{.......f~..#.6O...u6...f...w..J..-vT...Ml..r..2..@-M9>..}d..V....7......g.?...'..]...X..@kj...$.x.C....e.....kx..Ou.>.(..x$....H.......m.[......>.....=....<i.Jt.%..../..v...mAmO....w<.4...<.....1.J....G3....~d ..`.P/|n.S..E....Sr0..i.....f.`...P.6..,.M^.#f.`.d.t..!...S.R..........m.Km_......}<3.........6f..`....EY.5......<.........}..5<..[.O&...#P[.(l.M...>M..v...*..,l+#..:.......=.."P..0.....T.@>.D..Q_.%.f..XL...E.6w.4.."l.HP.l....]`..G..........@R.dT..9..".N^....V..?...9.a>.T..(.F...:

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):7.980218078211509
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:hkaP5RPCGNDVq3Z.exe
                                                                        File size:1664000
                                                                        MD5:07556e1af1f43f7dd42d32d188187e4a
                                                                        SHA1:42110c04869726694a2537e05f987039cd829ac0
                                                                        SHA256:a6fc5cc4331ee5a9bee82b3fde7bdbce1c1dc5a89c8860b682c948f4b9acc9cd
                                                                        SHA512:433457cb0e908bc673e952639f2df8da6991f2aed7e9c2cf98bcc677452bb8c5d92ccf8267ed7ca38227122ffcc6633bf40a39f2b1eaaf4262221e45899f094d
                                                                        SSDEEP:24576:xk2c3F4utgvW/OG1QjTh336I4vlsevTPvxt/mrknakwowZqDpns72zG3xzevGQSy:zTW/VmT9Klveevr/m76u3xzMTQz
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^.`.....................D.......=... ........@.. ....................................@................................

                                                                        File Icon

                                                                        Icon Hash:69ce8f8e868ece69

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x593d9e
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                        Time Stamp:0x60005EBD [Thu Jan 14 15:09:49 2021 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:v4.0.30319
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x193d480x53.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1940000x4200.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x19a0000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000x191da40x191e00False0.982069522745data7.98345662423IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x1940000x42000x4200False0.603515625data6.4415366241IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x19a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_ICON0x1941900x468GLS_BINARY_LSB_FIRST
                                                                        RT_ICON0x1945f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 133035003, next used block 15594491
                                                                        RT_ICON0x1956a00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                        RT_GROUP_ICON0x197c480x30data
                                                                        RT_VERSION0x197c780x398data
                                                                        RT_MANIFEST0x1980100x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Version Infos

                                                                        DescriptionData
                                                                        Translation0x0000 0x04b0
                                                                        LegalCopyright Microsoft Corporation. All rights reserved.
                                                                        Assembly Version10.0.11.0
                                                                        InternalNameB.exe
                                                                        FileVersion10.0.11.0
                                                                        CompanyNameMicrosoft Corporation
                                                                        LegalTrademarks
                                                                        Comments
                                                                        ProductNameRegistry Editor Pro
                                                                        ProductVersion10.0.11.0
                                                                        FileDescriptionRegistry Editor Pro
                                                                        OriginalFilenameB.exe

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        01/14/21-21:05:58.049806TCP1201ATTACK-RESPONSES 403 Forbidden8049728104.16.155.36192.168.2.3

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 14, 2021 21:05:57.954740047 CET4972880192.168.2.3104.16.155.36
                                                                        Jan 14, 2021 21:05:57.994946957 CET8049728104.16.155.36192.168.2.3
                                                                        Jan 14, 2021 21:05:57.995073080 CET4972880192.168.2.3104.16.155.36
                                                                        Jan 14, 2021 21:05:57.996715069 CET4972880192.168.2.3104.16.155.36
                                                                        Jan 14, 2021 21:05:58.036840916 CET8049728104.16.155.36192.168.2.3
                                                                        Jan 14, 2021 21:05:58.049806118 CET8049728104.16.155.36192.168.2.3
                                                                        Jan 14, 2021 21:05:58.131392002 CET4972880192.168.2.3104.16.155.36
                                                                        Jan 14, 2021 21:06:00.601109028 CET4972980192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:00.730758905 CET8049729162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:00.731086016 CET4972980192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:00.731735945 CET4972980192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:00.862003088 CET8049729162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:00.862032890 CET8049729162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:00.862159014 CET8049729162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:00.862704039 CET4972980192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:00.865411997 CET4972980192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:00.995126009 CET8049729162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:01.133039951 CET4973180192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:01.263864994 CET8049731162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:01.264034986 CET4973180192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:01.265140057 CET4973180192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:01.398212910 CET8049731162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:01.398312092 CET8049731162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:01.398322105 CET8049731162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:01.398545027 CET4973180192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:01.398994923 CET4973180192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:01.532432079 CET8049731162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:04.155797005 CET49732443192.168.2.3104.21.19.200
                                                                        Jan 14, 2021 21:06:04.196070910 CET44349732104.21.19.200192.168.2.3
                                                                        Jan 14, 2021 21:06:04.197545052 CET49732443192.168.2.3104.21.19.200
                                                                        Jan 14, 2021 21:06:04.248908043 CET49732443192.168.2.3104.21.19.200
                                                                        Jan 14, 2021 21:06:04.289110899 CET44349732104.21.19.200192.168.2.3
                                                                        Jan 14, 2021 21:06:04.296866894 CET44349732104.21.19.200192.168.2.3
                                                                        Jan 14, 2021 21:06:04.296892881 CET44349732104.21.19.200192.168.2.3
                                                                        Jan 14, 2021 21:06:04.296987057 CET49732443192.168.2.3104.21.19.200
                                                                        Jan 14, 2021 21:06:04.313769102 CET49732443192.168.2.3104.21.19.200
                                                                        Jan 14, 2021 21:06:04.353827953 CET44349732104.21.19.200192.168.2.3
                                                                        Jan 14, 2021 21:06:04.354366064 CET44349732104.21.19.200192.168.2.3
                                                                        Jan 14, 2021 21:06:04.423932076 CET49732443192.168.2.3104.21.19.200
                                                                        Jan 14, 2021 21:06:04.464206934 CET44349732104.21.19.200192.168.2.3
                                                                        Jan 14, 2021 21:06:04.492506981 CET44349732104.21.19.200192.168.2.3
                                                                        Jan 14, 2021 21:06:04.631948948 CET49732443192.168.2.3104.21.19.200
                                                                        Jan 14, 2021 21:06:04.664028883 CET4973580192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:04.797888994 CET8049735162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:04.798070908 CET4973580192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:04.933239937 CET4973580192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:05.062815905 CET8049735162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:05.062843084 CET8049735162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:05.062855959 CET8049735162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:05.062983036 CET4973580192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:05.063273907 CET4973580192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:05.064338923 CET49732443192.168.2.3104.21.19.200
                                                                        Jan 14, 2021 21:06:05.118690014 CET44349732104.21.19.200192.168.2.3
                                                                        Jan 14, 2021 21:06:05.193202019 CET8049735162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:05.236320972 CET4973680192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:05.335138083 CET49732443192.168.2.3104.21.19.200
                                                                        Jan 14, 2021 21:06:05.366435051 CET8049736162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:05.366520882 CET4973680192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:05.367397070 CET4973680192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:05.498096943 CET8049736162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:05.498122931 CET8049736162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:05.498135090 CET8049736162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:05.498517036 CET4973680192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:05.498543024 CET4973680192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:05.501065016 CET49732443192.168.2.3104.21.19.200
                                                                        Jan 14, 2021 21:06:05.552758932 CET44349732104.21.19.200192.168.2.3
                                                                        Jan 14, 2021 21:06:05.628093958 CET8049736162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:05.632040977 CET49732443192.168.2.3104.21.19.200
                                                                        Jan 14, 2021 21:06:05.642967939 CET4973780192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:05.772589922 CET8049737162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:05.777513981 CET4973780192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:06.041346073 CET4973780192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:06.171420097 CET8049737162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:06.171444893 CET8049737162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:06.171452999 CET8049737162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:06.172132969 CET4973780192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:06.172476053 CET4973780192.168.2.3162.88.193.70
                                                                        Jan 14, 2021 21:06:06.303910017 CET8049737162.88.193.70192.168.2.3
                                                                        Jan 14, 2021 21:06:06.725363970 CET4972880192.168.2.3104.16.155.36
                                                                        Jan 14, 2021 21:06:19.293910980 CET49739587192.168.2.3199.193.7.228
                                                                        Jan 14, 2021 21:06:19.484630108 CET58749739199.193.7.228192.168.2.3
                                                                        Jan 14, 2021 21:06:19.484776974 CET49739587192.168.2.3199.193.7.228
                                                                        Jan 14, 2021 21:06:19.676199913 CET58749739199.193.7.228192.168.2.3
                                                                        Jan 14, 2021 21:06:19.677304029 CET49739587192.168.2.3199.193.7.228
                                                                        Jan 14, 2021 21:06:19.867600918 CET58749739199.193.7.228192.168.2.3
                                                                        Jan 14, 2021 21:06:19.867878914 CET58749739199.193.7.228192.168.2.3
                                                                        Jan 14, 2021 21:06:19.869438887 CET49739587192.168.2.3199.193.7.228
                                                                        Jan 14, 2021 21:06:20.059735060 CET58749739199.193.7.228192.168.2.3
                                                                        Jan 14, 2021 21:06:20.063824892 CET49739587192.168.2.3199.193.7.228
                                                                        Jan 14, 2021 21:06:20.254219055 CET58749739199.193.7.228192.168.2.3
                                                                        Jan 14, 2021 21:06:20.254247904 CET58749739199.193.7.228192.168.2.3
                                                                        Jan 14, 2021 21:06:20.254260063 CET58749739199.193.7.228192.168.2.3
                                                                        Jan 14, 2021 21:06:20.254348993 CET49739587192.168.2.3199.193.7.228
                                                                        Jan 14, 2021 21:06:20.352389097 CET49739587192.168.2.3199.193.7.228
                                                                        Jan 14, 2021 21:06:20.444653988 CET58749739199.193.7.228192.168.2.3
                                                                        Jan 14, 2021 21:06:20.500878096 CET49739587192.168.2.3199.193.7.228
                                                                        Jan 14, 2021 21:06:20.691153049 CET58749739199.193.7.228192.168.2.3
                                                                        Jan 14, 2021 21:06:20.692426920 CET58749739199.193.7.228192.168.2.3
                                                                        Jan 14, 2021 21:06:20.692452908 CET58749739199.193.7.228192.168.2.3
                                                                        Jan 14, 2021 21:06:20.693588972 CET49739587192.168.2.3199.193.7.228

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 14, 2021 21:05:27.785793066 CET5598453192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:27.836540937 CET53559848.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:29.083637953 CET6418553192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:29.131767988 CET53641858.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:30.319539070 CET6511053192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:30.376202106 CET53651108.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:34.516402006 CET5836153192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:34.564366102 CET53583618.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:36.201733112 CET6349253192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:36.252667904 CET53634928.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:37.251962900 CET6083153192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:37.302727938 CET53608318.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:38.325848103 CET6010053192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:38.385181904 CET53601008.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:39.277245045 CET5319553192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:39.325218916 CET53531958.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:40.361742973 CET5014153192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:40.420814037 CET53501418.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:41.341131926 CET5302353192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:41.399696112 CET53530238.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:42.294265985 CET4956353192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:42.342123032 CET53495638.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:43.323069096 CET5135253192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:43.370987892 CET53513528.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:44.403069019 CET5934953192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:44.459722996 CET53593498.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:45.386379004 CET5708453192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:45.434858084 CET53570848.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:57.180990934 CET5882353192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:57.243824005 CET53588238.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:57.465439081 CET5756853192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:57.521950960 CET53575688.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:05:57.874526024 CET5054053192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:05:57.933684111 CET53505408.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:00.455746889 CET5436653192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:00.503878117 CET53543668.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:00.520780087 CET5303453192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:00.568746090 CET53530348.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:00.707115889 CET5776253192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:00.755032063 CET53577628.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:03.954924107 CET5543553192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:04.002947092 CET53554358.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:04.101759911 CET5071353192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:04.152630091 CET53507138.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:15.363087893 CET5613253192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:15.413825989 CET53561328.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:19.234638929 CET5898753192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:19.282243013 CET5657953192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:19.292428017 CET53589878.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:19.341948032 CET53565798.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:23.408366919 CET6063353192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:23.469934940 CET53606338.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:24.367578030 CET6129253192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:24.423978090 CET53612928.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:28.627509117 CET6361953192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:28.683852911 CET53636198.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:31.566425085 CET6493853192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:31.624037981 CET53649388.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:34.748353958 CET6194653192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:34.807579994 CET53619468.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:37.740144968 CET6491053192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:37.798752069 CET53649108.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:41.772924900 CET5212353192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:41.832242966 CET53521238.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:45.252717018 CET5613053192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:45.312151909 CET53561308.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:46.014970064 CET5633853192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:46.063107014 CET53563388.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:48.364864111 CET5942053192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:48.412808895 CET53594208.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:49.426961899 CET5878453192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:49.484849930 CET53587848.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:55.450838089 CET6397853192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:55.507082939 CET53639788.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:06:58.396411896 CET6293853192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:06:58.455871105 CET53629388.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:07:01.638959885 CET5570853192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:01.686991930 CET53557088.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:07:09.139822960 CET5680353192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:09.187827110 CET53568038.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:07:12.172841072 CET5714553192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:12.229186058 CET53571458.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:07:17.294195890 CET5535953192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:17.353468895 CET53553598.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:07:22.385144949 CET5830653192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:22.432998896 CET53583068.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:07:24.000591040 CET6412453192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:24.065150023 CET53641248.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:07:26.625068903 CET4936153192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:26.681824923 CET53493618.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:07:29.599039078 CET6315053192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:29.734687090 CET5327953192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:30.611318111 CET6315053192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:30.797226906 CET5327953192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:31.571217060 CET53631508.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:07:31.574471951 CET53532798.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:07:34.908970118 CET5688153192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:34.965646029 CET53568818.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:07:38.379416943 CET5364253192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:38.436291933 CET53536428.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:07:42.997514009 CET5566753192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:43.057260036 CET53556678.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:07:46.118484974 CET5483353192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:46.175241947 CET53548338.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:07:49.440176010 CET6247653192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:49.488023043 CET53624768.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:07:57.279186010 CET4970553192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:07:57.335459948 CET53497058.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:00.410562038 CET6147753192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:00.469605923 CET53614778.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:03.643287897 CET6163353192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:03.691255093 CET53616338.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:17.551192999 CET5594953192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:17.610728979 CET53559498.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:22.637527943 CET5760153192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:22.696662903 CET53576018.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:23.154640913 CET4934253192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:23.206329107 CET53493428.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:23.702675104 CET5625353192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:23.761816978 CET53562538.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:24.572421074 CET4966753192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:24.628822088 CET53496678.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:25.560203075 CET5543953192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:25.608268023 CET53554398.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:26.368408918 CET5706953192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:26.428071022 CET53570698.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:26.559550047 CET5765953192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:26.616588116 CET53576598.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:28.287776947 CET5471753192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:28.344244957 CET53547178.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:29.403079987 CET6397553192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:29.451061964 CET53639758.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:29.617660046 CET5663953192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:29.668371916 CET53566398.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:29.891035080 CET5185653192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:29.947247982 CET53518568.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:31.070144892 CET5654653192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:31.120956898 CET53565468.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:32.360311031 CET6215253192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:32.411176920 CET53621528.8.8.8192.168.2.3
                                                                        Jan 14, 2021 21:08:36.794785023 CET5347053192.168.2.38.8.8.8
                                                                        Jan 14, 2021 21:08:36.851361990 CET53534708.8.8.8192.168.2.3

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Jan 14, 2021 21:05:57.465439081 CET192.168.2.38.8.8.80x1051Standard query (0)169.241.9.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                        Jan 14, 2021 21:05:57.874526024 CET192.168.2.38.8.8.80xe41bStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:00.455746889 CET192.168.2.38.8.8.80xc26dStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:00.520780087 CET192.168.2.38.8.8.80x3a0eStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:04.101759911 CET192.168.2.38.8.8.80x7f5dStandard query (0)freegeoip.appA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:19.234638929 CET192.168.2.38.8.8.80xe8c9Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:23.408366919 CET192.168.2.38.8.8.80x67fStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:24.367578030 CET192.168.2.38.8.8.80x8496Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:28.627509117 CET192.168.2.38.8.8.80xb85eStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:31.566425085 CET192.168.2.38.8.8.80xf7cfStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:34.748353958 CET192.168.2.38.8.8.80x7428Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:41.772924900 CET192.168.2.38.8.8.80x7677Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:45.252717018 CET192.168.2.38.8.8.80xf12Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:48.364864111 CET192.168.2.38.8.8.80x12d2Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:55.450838089 CET192.168.2.38.8.8.80x6dcbStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:58.396411896 CET192.168.2.38.8.8.80xc5c5Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:01.638959885 CET192.168.2.38.8.8.80x4cbeStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:09.139822960 CET192.168.2.38.8.8.80x79b0Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:12.172841072 CET192.168.2.38.8.8.80x4e20Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:17.294195890 CET192.168.2.38.8.8.80xeb2eStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:26.625068903 CET192.168.2.38.8.8.80x9173Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:29.599039078 CET192.168.2.38.8.8.80x4fbaStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:29.734687090 CET192.168.2.38.8.8.80x6d49Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:30.611318111 CET192.168.2.38.8.8.80x4fbaStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:30.797226906 CET192.168.2.38.8.8.80x6d49Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:34.908970118 CET192.168.2.38.8.8.80x4b77Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:38.379416943 CET192.168.2.38.8.8.80xc4beStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:42.997514009 CET192.168.2.38.8.8.80x756fStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:46.118484974 CET192.168.2.38.8.8.80xdc54Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:49.440176010 CET192.168.2.38.8.8.80x96fbStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:57.279186010 CET192.168.2.38.8.8.80x28ebStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:08:00.410562038 CET192.168.2.38.8.8.80x780aStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:08:03.643287897 CET192.168.2.38.8.8.80xad36Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:08:23.154640913 CET192.168.2.38.8.8.80x3787Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:08:26.368408918 CET192.168.2.38.8.8.80x544cStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:08:29.403079987 CET192.168.2.38.8.8.80x370fStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:08:29.891035080 CET192.168.2.38.8.8.80xa74Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:08:36.794785023 CET192.168.2.38.8.8.80xaf83Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Jan 14, 2021 21:05:57.521950960 CET8.8.8.8192.168.2.30x1051Name error (3)169.241.9.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                        Jan 14, 2021 21:05:57.933684111 CET8.8.8.8192.168.2.30xe41bNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:05:57.933684111 CET8.8.8.8192.168.2.30xe41bNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:00.503878117 CET8.8.8.8192.168.2.30xc26dNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                        Jan 14, 2021 21:06:00.503878117 CET8.8.8.8192.168.2.30xc26dNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:00.503878117 CET8.8.8.8192.168.2.30xc26dNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:00.503878117 CET8.8.8.8192.168.2.30xc26dNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:00.503878117 CET8.8.8.8192.168.2.30xc26dNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:00.503878117 CET8.8.8.8192.168.2.30xc26dNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:00.568746090 CET8.8.8.8192.168.2.30x3a0eNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                        Jan 14, 2021 21:06:00.568746090 CET8.8.8.8192.168.2.30x3a0eNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:00.568746090 CET8.8.8.8192.168.2.30x3a0eNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:00.568746090 CET8.8.8.8192.168.2.30x3a0eNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:00.568746090 CET8.8.8.8192.168.2.30x3a0eNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:00.568746090 CET8.8.8.8192.168.2.30x3a0eNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:04.152630091 CET8.8.8.8192.168.2.30x7f5dNo error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:04.152630091 CET8.8.8.8192.168.2.30x7f5dNo error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:19.292428017 CET8.8.8.8192.168.2.30xe8c9No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:23.469934940 CET8.8.8.8192.168.2.30x67fNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:24.423978090 CET8.8.8.8192.168.2.30x8496No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:28.683852911 CET8.8.8.8192.168.2.30xb85eNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:31.624037981 CET8.8.8.8192.168.2.30xf7cfNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:34.807579994 CET8.8.8.8192.168.2.30x7428No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:41.832242966 CET8.8.8.8192.168.2.30x7677No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:45.312151909 CET8.8.8.8192.168.2.30xf12No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:48.412808895 CET8.8.8.8192.168.2.30x12d2No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:55.507082939 CET8.8.8.8192.168.2.30x6dcbNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:06:58.455871105 CET8.8.8.8192.168.2.30xc5c5No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:01.686991930 CET8.8.8.8192.168.2.30x4cbeNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:09.187827110 CET8.8.8.8192.168.2.30x79b0No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:12.229186058 CET8.8.8.8192.168.2.30x4e20No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:17.353468895 CET8.8.8.8192.168.2.30xeb2eNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:26.681824923 CET8.8.8.8192.168.2.30x9173No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:31.571217060 CET8.8.8.8192.168.2.30x4fbaNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:31.574471951 CET8.8.8.8192.168.2.30x6d49No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:34.965646029 CET8.8.8.8192.168.2.30x4b77No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:38.436291933 CET8.8.8.8192.168.2.30xc4beNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:43.057260036 CET8.8.8.8192.168.2.30x756fNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:46.175241947 CET8.8.8.8192.168.2.30xdc54No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:49.488023043 CET8.8.8.8192.168.2.30x96fbNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:07:57.335459948 CET8.8.8.8192.168.2.30x28ebNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:08:00.469605923 CET8.8.8.8192.168.2.30x780aNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:08:03.691255093 CET8.8.8.8192.168.2.30xad36No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:08:23.206329107 CET8.8.8.8192.168.2.30x3787No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:08:26.428071022 CET8.8.8.8192.168.2.30x544cNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:08:29.451061964 CET8.8.8.8192.168.2.30x370fNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:08:29.947247982 CET8.8.8.8192.168.2.30xa74No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                        Jan 14, 2021 21:08:36.851361990 CET8.8.8.8192.168.2.30xaf83No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)

                                                                        HTTP Request Dependency Graph

                                                                        • whatismyipaddress.com
                                                                        • checkip.dyndns.org

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        0192.168.2.349728104.16.155.3680C:\Users\user\AppData\Local\Temp\Pictures.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Jan 14, 2021 21:05:57.996715069 CET191OUTGET / HTTP/1.1
                                                                        Host: whatismyipaddress.com
                                                                        Connection: Keep-Alive
                                                                        Jan 14, 2021 21:05:58.049806118 CET192INHTTP/1.1 403 Forbidden
                                                                        Date: Thu, 14 Jan 2021 20:05:58 GMT
                                                                        Content-Type: text/plain; charset=UTF-8
                                                                        Content-Length: 16
                                                                        Connection: keep-alive
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                        Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                        Set-Cookie: __cfduid=da30a9e46a531c2398d1ab9843a1ff20b1610654758; expires=Sat, 13-Feb-21 20:05:58 GMT; path=/; domain=.whatismyipaddress.com; HttpOnly; SameSite=Lax; Secure
                                                                        cf-request-id: 07a41a4c8c00004a91a8914000000001
                                                                        Server: cloudflare
                                                                        CF-RAY: 6119f98dae3f4a91-FRA
                                                                        Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                                        Data Ascii: error code: 1020


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        1192.168.2.349729162.88.193.7080C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Jan 14, 2021 21:06:00.731735945 CET210OUTGET / HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                        Host: checkip.dyndns.org
                                                                        Connection: Keep-Alive
                                                                        Jan 14, 2021 21:06:00.862032890 CET211INHTTP/1.1 200 OK
                                                                        Content-Type: text/html
                                                                        Server: DynDNS-CheckIP/1.0.1
                                                                        Connection: close
                                                                        Cache-Control: no-cache
                                                                        Pragma: no-cache
                                                                        Content-Length: 103
                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        2192.168.2.349731162.88.193.7080C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Jan 14, 2021 21:06:01.265140057 CET216OUTGET / HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                        Host: checkip.dyndns.org
                                                                        Jan 14, 2021 21:06:01.398312092 CET219INHTTP/1.1 200 OK
                                                                        Content-Type: text/html
                                                                        Server: DynDNS-CheckIP/1.0.1
                                                                        Connection: close
                                                                        Cache-Control: no-cache
                                                                        Pragma: no-cache
                                                                        Content-Length: 103
                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        3192.168.2.349735162.88.193.7080C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Jan 14, 2021 21:06:04.933239937 CET275OUTGET / HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                        Host: checkip.dyndns.org
                                                                        Jan 14, 2021 21:06:05.062843084 CET275INHTTP/1.1 200 OK
                                                                        Content-Type: text/html
                                                                        Server: DynDNS-CheckIP/1.0.1
                                                                        Connection: close
                                                                        Cache-Control: no-cache
                                                                        Pragma: no-cache
                                                                        Content-Length: 103
                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        4192.168.2.349736162.88.193.7080C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Jan 14, 2021 21:06:05.367397070 CET277OUTGET / HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                        Host: checkip.dyndns.org
                                                                        Jan 14, 2021 21:06:05.498122931 CET278INHTTP/1.1 200 OK
                                                                        Content-Type: text/html
                                                                        Server: DynDNS-CheckIP/1.0.1
                                                                        Connection: close
                                                                        Cache-Control: no-cache
                                                                        Pragma: no-cache
                                                                        Content-Length: 103
                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        5192.168.2.349737162.88.193.7080C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Jan 14, 2021 21:06:06.041346073 CET280OUTGET / HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                        Host: checkip.dyndns.org
                                                                        Jan 14, 2021 21:06:06.171444893 CET281INHTTP/1.1 200 OK
                                                                        Content-Type: text/html
                                                                        Server: DynDNS-CheckIP/1.0.1
                                                                        Connection: close
                                                                        Cache-Control: no-cache
                                                                        Pragma: no-cache
                                                                        Content-Length: 103
                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                        HTTPS Packets

                                                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                        Jan 14, 2021 21:06:04.296892881 CET104.21.19.200443192.168.2.349732CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                        SMTP Packets

                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                        Jan 14, 2021 21:06:19.676199913 CET58749739199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:06:19.677304029 CET49739587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:06:19.867878914 CET58749739199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:06:19.869438887 CET49739587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:06:20.059735060 CET58749739199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:06:23.855637074 CET58749741199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:06:23.979095936 CET49741587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:06:24.169600010 CET58749741199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:06:24.169857979 CET49741587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:06:24.360356092 CET58749741199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:06:24.842624903 CET58749743199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:06:24.846966028 CET58749742199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:06:24.853744030 CET49742587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:06:24.877975941 CET49743587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:06:25.043946981 CET58749742199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:06:25.068721056 CET58749743199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:06:25.484189987 CET49743587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:06:25.484332085 CET49742587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:06:25.674161911 CET58749742199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:06:25.674288034 CET58749743199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:06:26.389698029 CET58749744199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:06:26.392261982 CET58749745199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:06:27.673405886 CET49744587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:06:27.673863888 CET49745587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:06:27.865693092 CET58749744199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:06:27.865717888 CET58749745199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:06:27.891627073 CET49744587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:06:27.891891956 CET49745587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:06:28.082043886 CET58749744199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:06:28.082133055 CET58749745199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:06:29.069278955 CET58749746199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:06:29.069813013 CET49746587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:06:29.263468027 CET58749746199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:06:29.263863087 CET49746587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:06:29.454248905 CET58749746199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:06:32.013618946 CET58749747199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:06:32.016169071 CET49747587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:06:32.208035946 CET58749747199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:06:32.208298922 CET49747587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:06:32.398788929 CET58749747199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:06:35.191539049 CET58749748199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:06:35.191770077 CET49748587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:06:35.382066011 CET58749748199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:06:35.382353067 CET49748587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:06:35.572527885 CET58749748199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:06:37.334799051 CET49748587192.168.2.3199.193.7.228242,a]?9|[O$;]6g|A(Fujj{fsT]."rU3@Bqx>2.,>+%,lUIO2r/G|Ph)y#J@PYTZPFh:<Iaxv$2{/k1-h45850wfxor<W
                                                                        <:F_m|pp^Ja0C%yh$skpU\Me1}WgX*MAXfl/q!55+__u@s-7orZT4<`<(I~d4B*R
                                                                        oJyUH#~TEX0Bq63> iLxe,E7FR!5!|IcObs_tj$-=Ul%xBQ;yZ\KF.:I5Y
                                                                        Zru=DuR^QcrmzQC<f1"6o+@pfzkf-oX{ y|Z4/xfH~kV{apSzR)
                                                                        e0NEN gX"4e!lNXi|c8-wvLs_R=0{x"B2KZG<9"G9aPaquwZ;A3oadF7Ph@]m40Ii^qp$}DC~p(IFMhC;|hSSt3'C a=?L'aAjX BfM'6;4{;`k+jooQn;.,UMCX?UFiB[*e%w$18fmNi
                                                                        [0<i?kMg!qo#L<~-k{l~=&bUJ;b\jV]{A%i;"z?V]^xs7w[td`,XQ3>Ovf_xx@?(L4Ml9x(}~L0Fk,JM^[6S5Gv\@sx,0"~yg/2 q(}h4{d?&;I\>`K8c+7`@4P61V0HE1z",?p)9^Ay[G(!"-*;A2L6Bw~XrtA-xY7&R]kA=cAf5r'ohM(UhuA7S*5'){m>@(.-OI^MGj o5>\5&iFQT.k1~8~H}k,-#>QkNlkQB.Dm(s<*-ql%QLFe%Y^k(NU<pMv}"#akB=PwAN8ezq{V+a;]@t/-}rk+-Z
                                                                        jJ3\/SiO_5.`Cr"qF[4b
                                                                        4$)i2J6MY"Ap!@zvhR0
                                                                        /5J*` _mLt2ysF_;])Ca3SzL|ktZHHQ(26$jr;<;]{d5'?\ bC)o6zfe^JSg(bEPkG{ )3!@\ oYUEL+*%gJKSfpB}0x{<Y#Wc<a'Jy$~$19tu VoO0.e4tD" <Ma#O:n r&aVlTMwE{\{._"#Ki ,n%7Pn4VDaAM,x\(JOdUp+Iso .3H*/
                                                                        AY^'g-I(Z*%GZQ&a7+5Tz`?
                                                                        hkd yml]5PI#H<a@@meP{{QhCef9\H)K?zd$dmyH<l|0>j9FgbI;jeR$i<U{}"M|9f'NB{IbD(';-[
                                                                        !ZAZa%'Q'CSD@:5SS&x~!
                                                                        lA{JSe.Ur-oyQ9.fbqh[ILYmp%gGWD)Gj=2sXM@J6
                                                                        xu;7qV^f$AO0DBYW<3d'#!*-TJNU[E:E%7iL#TA:AS`mqhIm=j 6rsJUO$RN@wNam2*dT85 '8P,p#d;L'?0U\*F9oTPkwP~%FNSRygGU9Eh HpA jQMFrxxxkoeCG?O$zOF6iZQ_j~1ASA p{koKYw1u/\O54UC+nd?Rk+?>*f%k&))
                                                                        _@/.zv;(Boe6j-J/Ct3B#aG?~GI2~cz0rl1O@mjl022@f-:{:xuy'Y3Wm) J^#a6qR1[e8@uND|3[mAzM|%x\xR[:m,dC&N3cW!k3 m'G&]jAO;[T-[V{xu`R3%\uqN=ve-P63dW.<}*"H5qxl7A og#m7,lJA:45HRuW/&496+qsOmpOC+\4O&/q
                                                                        ReB,a+Z6p{ZH-k5 y:<.h_^ud1QS^7lyi\R,.R3hq=k7W(/m^-0yx6(Z}[*s}Aj5ou`]kDZeXo#WRl_YuHk]HO"];QcSC9:w@DN6P#(\"GHOtl4Vdm&qiS08yU]9dS91uUajU+I^8O7
                                                                        ;IUn0n~"+"IY'K39or>K1_LoFZTZ4j2%vop+'7{~h]4Ss&'ni\Q=&Zl/BE'W5L%.a?LrX(ZY#yK'{F5!:"$g
                                                                        ;S7IZR5/6>6{raq3B\tzwu-ojGT98q]<,ZR_<W#M42Aq\P((r{g|AM=uj
                                                                        3U1tF31[1xt{q4eX0/C71Wnx[}l<!:bN6:>JAjro~5k:?87<x,FuPJ]h(@hGjJHlE_(I6H3yvezye39`[ekpE^wSNg"R@Bb}:*Y~&HWed+!oy%O
                                                                        ?Fn<F@ tA5''@wAVw0o6rwD743KMW6AvJ
                                                                        r4UZ\gFLd?5aZr.U$;;Q-.9&1}y$Qh^,es/Z9bQ Wz22Hks1wU$fIi1sZ;9n+XO{ G\o<{ak%@Aw,$7OoP_Vz:A4!=iO`K1@oac^wv=O)Vo2f[/z7*=e/x
                                                                        Jan 14, 2021 21:06:42.589994907 CET58749750199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:06:42.590565920 CET49750587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:06:42.780843019 CET58749750199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:06:42.781291008 CET49750587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:06:42.971194983 CET58749750199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:06:45.697830915 CET58749751199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:06:45.698507071 CET49751587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:06:45.889461994 CET58749751199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:06:45.890769005 CET49751587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:06:46.081245899 CET58749751199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:06:48.802799940 CET58749755199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:06:48.805089951 CET49755587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:06:48.996228933 CET58749755199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:06:48.996536016 CET49755587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:06:49.186985016 CET58749755199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:06:55.891541958 CET58749760199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:06:55.893876076 CET49760587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:06:56.084568977 CET58749760199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:06:56.084839106 CET49760587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:06:56.275809050 CET58749760199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:06:58.841316938 CET58749761199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:06:58.842483997 CET49761587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:06:59.032845020 CET58749761199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:06:59.033158064 CET49761587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:06:59.223288059 CET58749761199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:07:02.071787119 CET58749762199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:07:02.072164059 CET49762587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:07:02.262717962 CET58749762199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:07:02.263041019 CET49762587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:07:02.453207970 CET58749762199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:07:09.573642969 CET58749763199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:07:09.574439049 CET49763587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:07:09.764997959 CET58749763199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:07:09.767098904 CET49763587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:07:09.957834005 CET58749763199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:07:12.614541054 CET58749764199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:07:12.615103960 CET49764587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:07:12.805876970 CET58749764199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:07:12.806247950 CET49764587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:07:12.996459007 CET58749764199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:07:17.737935066 CET58749765199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:07:17.739171982 CET49765587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:07:17.930471897 CET58749765199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:07:17.930946112 CET49765587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:07:18.121371031 CET58749765199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:07:27.068408966 CET58749768199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:07:27.068917036 CET49768587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:07:27.261545897 CET58749768199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:07:27.261811972 CET49768587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:07:27.451867104 CET58749768199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:07:31.960315943 CET58749769199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:07:31.960829973 CET49769587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:07:32.151460886 CET58749769199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:07:32.151758909 CET49769587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:07:32.168351889 CET58749770199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:07:32.179450989 CET49770587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:07:32.341859102 CET58749769199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:07:32.369939089 CET58749770199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:07:32.394045115 CET49770587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:07:32.584306955 CET58749770199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:07:35.350095034 CET58749771199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:07:35.350413084 CET49771587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:07:35.540973902 CET58749771199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:07:35.541245937 CET49771587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:07:35.731347084 CET58749771199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:07:38.827608109 CET58749772199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:07:38.828126907 CET49772587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:07:39.021259069 CET58749772199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:07:39.021845102 CET49772587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:07:39.212287903 CET58749772199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:07:43.441412926 CET58749773199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:07:43.441817045 CET49773587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:07:43.632425070 CET58749773199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:07:43.632754087 CET49773587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:07:43.822805882 CET58749773199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:07:46.559166908 CET58749774199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:07:46.559506893 CET49774587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:07:46.749903917 CET58749774199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:07:46.752901077 CET49774587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:07:46.943000078 CET58749774199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:07:49.874026060 CET58749775199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:07:49.874351978 CET49775587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:07:50.064955950 CET58749775199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:07:50.066360950 CET49775587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:07:50.256568909 CET58749775199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:07:57.720851898 CET58749776199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:07:57.721236944 CET49776587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:07:57.912094116 CET58749776199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:07:57.912452936 CET49776587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:07:58.102731943 CET58749776199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:08:00.856621027 CET58749777199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:08:00.860003948 CET49777587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:08:01.050780058 CET58749777199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:08:01.051146984 CET49777587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:08:01.241416931 CET58749777199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:08:04.080991030 CET58749778199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:08:04.083841085 CET49778587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:08:04.274458885 CET58749778199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:08:04.274725914 CET49778587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:08:04.751332045 CET49778587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:08:05.266952991 CET49778587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:08:06.204557896 CET49778587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:08:06.350461960 CET58749778199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:08:23.592619896 CET58749781199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:08:23.593518019 CET49781587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:08:23.783970118 CET58749781199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:08:23.784568071 CET49781587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:08:23.974697113 CET58749781199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:08:26.816389084 CET58749785199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:08:26.816613913 CET49785587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:08:27.006618023 CET58749785199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:08:27.010982990 CET49785587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:08:27.200716019 CET58749785199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:08:29.837455034 CET58749788199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:08:29.837871075 CET49788587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:08:30.028126001 CET58749788199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:08:30.028868914 CET49788587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:08:30.219094038 CET58749788199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:08:30.332055092 CET58749790199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:08:30.332328081 CET49790587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:08:30.522665977 CET58749790199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:08:30.525733948 CET49790587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:08:30.715986967 CET58749790199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:08:37.235394955 CET58749793199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:08:37.238352060 CET49793587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:08:37.428744078 CET58749793199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:08:37.430358887 CET49793587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:08:37.620623112 CET58749793199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:08:39.815867901 CET58749794199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:08:39.818447113 CET49794587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:08:40.009578943 CET58749794199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:08:40.009758949 CET49794587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:08:40.200761080 CET58749794199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:08:42.538007021 CET58749795199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:08:42.538181067 CET49795587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:08:42.728702068 CET58749795199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:08:42.731040001 CET49795587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:08:42.921432018 CET58749795199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:08:49.151541948 CET58749796199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:08:49.151784897 CET49796587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:08:49.344341040 CET58749796199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:08:49.344535112 CET49796587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:08:49.536264896 CET58749796199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:08:51.706525087 CET58749797199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:08:51.706792116 CET49797587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:08:51.898078918 CET58749797199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:08:51.898345947 CET49797587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:08:52.088778019 CET58749797199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:08:54.328946114 CET58749798199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:08:54.329163074 CET49798587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:08:54.522209883 CET58749798199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:08:54.522366047 CET49798587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:08:54.712547064 CET58749798199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:09:00.964884996 CET58749799199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:09:00.965120077 CET49799587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:09:01.155860901 CET58749799199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:09:01.156012058 CET49799587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:09:01.346335888 CET58749799199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:09:03.528671026 CET58749800199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:09:03.529010057 CET49800587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:09:03.719451904 CET58749800199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:09:03.719784975 CET49800587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:09:03.911150932 CET58749800199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:09:06.182318926 CET58749801199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:09:06.182481050 CET49801587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:09:06.373927116 CET58749801199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:09:06.374124050 CET49801587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:09:06.564444065 CET58749801199.193.7.228192.168.2.3220 Ready to start TLS
                                                                        Jan 14, 2021 21:09:12.744306087 CET58749802199.193.7.228192.168.2.3220 PrivateEmail.com Mail Node
                                                                        Jan 14, 2021 21:09:12.744764090 CET49802587192.168.2.3199.193.7.228EHLO 651689
                                                                        Jan 14, 2021 21:09:12.937553883 CET58749802199.193.7.228192.168.2.3250-MTA-09.privateemail.com
                                                                        250-PIPELINING
                                                                        250-SIZE 81788928
                                                                        250-ETRN
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 STARTTLS
                                                                        Jan 14, 2021 21:09:12.938822985 CET49802587192.168.2.3199.193.7.228STARTTLS
                                                                        Jan 14, 2021 21:09:13.128885031 CET58749802199.193.7.228192.168.2.3220 Ready to start TLS

                                                                        Code Manipulations

                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Start time:21:05:30
                                                                        Start date:14/01/2021
                                                                        Path:C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe'
                                                                        Imagebase:0x740000
                                                                        File size:1664000 bytes
                                                                        MD5 hash:07556E1AF1F43F7DD42D32D188187E4A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.257933457.0000000002C8D000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                        • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                        • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        General

                                                                        Start time:21:05:49
                                                                        Start date:14/01/2021
                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp'
                                                                        Imagebase:0xea0000
                                                                        File size:185856 bytes
                                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Start time:21:05:49
                                                                        Start date:14/01/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b2800000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Start time:21:05:50
                                                                        Start date:14/01/2021
                                                                        Path:C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:{path}
                                                                        Imagebase:0x680000
                                                                        File size:1664000 bytes
                                                                        MD5 hash:07556E1AF1F43F7DD42D32D188187E4A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:Visual Basic
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000003.263995429.0000000003AEC000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000003.261043420.0000000000DBC000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000003.263264151.0000000003A81000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000003.261983479.000000000406E000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000003.264379500.0000000004001000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000003.255977838.0000000000D94000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                        • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        General

                                                                        Start time:21:05:52
                                                                        Start date:14/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0
                                                                        Imagebase:0x880000
                                                                        File size:456192 bytes
                                                                        MD5 hash:D9001138C5119D936B70BF77E136AFBE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000006.00000000.259667235.0000000000882000.00000002.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe, Author: Joe Security
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Avira
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        Reputation:low

                                                                        General

                                                                        Start time:21:05:53
                                                                        Start date:14/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\Pictures.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\Pictures.exe' 0
                                                                        Imagebase:0x470000
                                                                        File size:533504 bytes
                                                                        MD5 hash:25146E9C5ECD498DD17BA01E6CFAEB24
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Author: Joe Security
                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.280377660.0000000003B91000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.280377660.0000000003B91000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.277723292.0000000002B91000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000002.277723292.0000000002B91000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, Author: Joe Security
                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.278079431.0000000002C06000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, Author: Joe Security
                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, Author: Joe Security
                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, Author: Joe Security
                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, Author: JPCERT/CC Incident Response Group
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Avira
                                                                        • Detection: 100%, Avira
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        Reputation:low

                                                                        General

                                                                        Start time:21:05:53
                                                                        Start date:14/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\PO456724392021.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\PO456724392021.exe' 0
                                                                        Imagebase:0xe90000
                                                                        File size:221696 bytes
                                                                        MD5 hash:F38E2D474C075EFF35B4EF81FDACA650
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.261860544.0000000000E92000.00000002.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.614250246.0000000000E92000.00000002.00020000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        General

                                                                        Start time:21:05:54
                                                                        Start date:14/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\PO2345714382021.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\PO2345714382021.exe' 0
                                                                        Imagebase:0xa0000
                                                                        File size:220672 bytes
                                                                        MD5 hash:9B79DE8E3AD21F14E71E55CFA6AE4727
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.263166408.00000000000A2000.00000002.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe, Author: Joe Security
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Avira
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        Reputation:low

                                                                        General

                                                                        Start time:21:05:57
                                                                        Start date:14/01/2021
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:dw20.exe -x -s 2100
                                                                        Imagebase:0x10000000
                                                                        File size:33936 bytes
                                                                        MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Start time:21:06:15
                                                                        Start date:14/01/2021
                                                                        Path:C:\Windows\SysWOW64\netsh.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'netsh' wlan show profile
                                                                        Imagebase:0xc70000
                                                                        File size:82944 bytes
                                                                        MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Start time:21:06:15
                                                                        Start date:14/01/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b2800000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >