Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Orders.exe

Overview

General Information

Sample Name:Orders.exe
Analysis ID:346555
MD5:e85daf3a43f107b213310a53bfd35aa9
SHA1:042208c7a232b806c6382e34417f9c8e2a955747
SHA256:0b1fbc81d9d9e685307e80d20afe4b01c6538b903b77136b0d1db2486fe8c6e8
Tags:exeYahoo

Most interesting Screenshot:

Detection

HawkEye AgentTesla MailPassView Matiex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Matiex Keylogger
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Bypasses PowerShell execution policy
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Opens the same file many times (likely Sandbox evasion)
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • Orders.exe (PID: 6824 cmdline: 'C:\Users\user\Desktop\Orders.exe' MD5: E85DAF3A43F107B213310A53BFD35AA9)
    • powershell.exe (PID: 6896 cmdline: 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Orders.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 7000 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • hawkgoods.exe (PID: 7064 cmdline: 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0 MD5: FFDB58533D5D1362E896E96FB6F02A95)
        • dw20.exe (PID: 6008 cmdline: dw20.exe -x -s 2132 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
        • vbc.exe (PID: 6288 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • vbc.exe (PID: 976 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • WerFault.exe (PID: 6308 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • WerFault.exe (PID: 2324 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 2132 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • origigoods40.exe (PID: 7116 cmdline: 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0 MD5: AE36F0D16230B9F41FFECBD3C5B1D660)
      • Matiexgoods.exe (PID: 7148 cmdline: 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0 MD5: 80C61B903400B534858D047DD0919F0E)
        • netsh.exe (PID: 6780 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • conhost.exe (PID: 1404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • origigoods20.exe (PID: 5580 cmdline: 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0 MD5: 61DC57C6575E1F3F2AE14C1B332AD2FB)
    • WerFault.exe (PID: 2116 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 1104 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • I$s#$lT3ssl.exe (PID: 5184 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' MD5: E85DAF3A43F107B213310A53BFD35AA9)
    • powershell.exe (PID: 5296 cmdline: 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 5468 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • hawkgoods.exe (PID: 4388 cmdline: 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0 MD5: FFDB58533D5D1362E896E96FB6F02A95)
      • origigoods40.exe (PID: 5692 cmdline: 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0 MD5: AE36F0D16230B9F41FFECBD3C5B1D660)
      • Matiexgoods.exe (PID: 6724 cmdline: 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0 MD5: 80C61B903400B534858D047DD0919F0E)
      • origigoods20.exe (PID: 5612 cmdline: 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0 MD5: 61DC57C6575E1F3F2AE14C1B332AD2FB)
    • WerFault.exe (PID: 2160 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 1096 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Threatname: Agenttesla

{"Username: ": "", "URL: ": "", "To: ": "sales1@midombo.com", "ByHost: ": "smtp.privateemail.com:587", "Password: ": "", "From: ": "sales1@midombo.com"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\origigoods20.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    C:\Users\user\AppData\Local\Temp\origigoods40.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      C:\Users\user\AppData\Local\Temp\Matiexgoods.exeJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
        C:\Users\user\AppData\Local\Temp\hawkgoods.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        C:\Users\user\AppData\Local\Temp\hawkgoods.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b8c7:$key: HawkEyeKeylogger
        • 0x7db0b:$salt: 099u787978786
        • 0x7bf08:$string1: HawkEye_Keylogger
        • 0x7cd5b:$string1: HawkEye_Keylogger
        • 0x7da6b:$string1: HawkEye_Keylogger
        • 0x7c2f1:$string2: holdermail.txt
        • 0x7c311:$string2: holdermail.txt
        • 0x7c233:$string3: wallet.dat
        • 0x7c24b:$string3: wallet.dat
        • 0x7c261:$string3: wallet.dat
        • 0x7d62f:$string4: Keylog Records
        • 0x7d947:$string4: Keylog Records
        • 0x7db63:$string5: do not script -->
        • 0x7b8af:$string6: \pidloc.txt
        • 0x7b93d:$string7: BSPLIT
        • 0x7b94d:$string7: BSPLIT
        Click to see the 4 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000025.00000000.399012238.0000000000E72000.00000002.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x12df7:$key: HawkEyeKeylogger
          • 0x1503b:$salt: 099u787978786
          • 0x13438:$string1: HawkEye_Keylogger
          • 0x1428b:$string1: HawkEye_Keylogger
          • 0x14f9b:$string1: HawkEye_Keylogger
          • 0x13821:$string2: holdermail.txt
          • 0x13841:$string2: holdermail.txt
          • 0x13763:$string3: wallet.dat
          • 0x1377b:$string3: wallet.dat
          • 0x13791:$string3: wallet.dat
          • 0x14b5f:$string4: Keylog Records
          • 0x14e77:$string4: Keylog Records
          • 0x15093:$string5: do not script -->
          • 0x12ddf:$string6: \pidloc.txt
          • 0x12e6d:$string7: BSPLIT
          • 0x12e7d:$string7: BSPLIT
          00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
            • 0x13490:$hawkstr1: HawkEye Keylogger
            • 0x142d1:$hawkstr1: HawkEye Keylogger
            • 0x14600:$hawkstr1: HawkEye Keylogger
            • 0x1475b:$hawkstr1: HawkEye Keylogger
            • 0x148be:$hawkstr1: HawkEye Keylogger
            • 0x14b37:$hawkstr1: HawkEye Keylogger
            • 0x1301e:$hawkstr2: Dear HawkEye Customers!
            • 0x14653:$hawkstr2: Dear HawkEye Customers!
            • 0x147aa:$hawkstr2: Dear HawkEye Customers!
            • 0x14911:$hawkstr2: Dear HawkEye Customers!
            • 0x1313f:$hawkstr3: HawkEye Logger Details:
            00000027.00000000.408264262.0000000000532000.00000002.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 106 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              10.0.origigoods20.exe.680000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                6.0.hawkgoods.exe.670000.0.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                6.0.hawkgoods.exe.670000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                • 0x7b8c7:$key: HawkEyeKeylogger
                • 0x7db0b:$salt: 099u787978786
                • 0x7bf08:$string1: HawkEye_Keylogger
                • 0x7cd5b:$string1: HawkEye_Keylogger
                • 0x7da6b:$string1: HawkEye_Keylogger
                • 0x7c2f1:$string2: holdermail.txt
                • 0x7c311:$string2: holdermail.txt
                • 0x7c233:$string3: wallet.dat
                • 0x7c24b:$string3: wallet.dat
                • 0x7c261:$string3: wallet.dat
                • 0x7d62f:$string4: Keylog Records
                • 0x7d947:$string4: Keylog Records
                • 0x7db63:$string5: do not script -->
                • 0x7b8af:$string6: \pidloc.txt
                • 0x7b93d:$string7: BSPLIT
                • 0x7b94d:$string7: BSPLIT
                6.0.hawkgoods.exe.670000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  6.0.hawkgoods.exe.670000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                    Click to see the 43 entries

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Capture Wi-Fi passwordShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0, ParentImage: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, ParentProcessId: 7148, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 6780

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeAvira: detection malicious, Label: TR/Spy.Gen8
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeAvira: detection malicious, Label: TR/Redcap.jajcu
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeAvira: detection malicious, Label: TR/Spy.Gen8
                    Found malware configurationShow sources
                    Source: origigoods20.exe.5580.10.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "sales1@midombo.com", "ByHost: ": "smtp.privateemail.com:587", "Password: ": "", "From: ": "sales1@midombo.com"}
                    Source: Orders.exe.6824.1.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeMetadefender: Detection: 43%Perma Link
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeReversingLabs: Detection: 86%
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeReversingLabs: Detection: 95%
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeMetadefender: Detection: 40%Perma Link
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeReversingLabs: Detection: 86%
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeMetadefender: Detection: 37%Perma Link
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeReversingLabs: Detection: 82%
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeReversingLabs: Detection: 22%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: Orders.exeReversingLabs: Detection: 22%
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeJoe Sandbox ML: detected
                    Machine Learning detection for sampleShow sources
                    Source: Orders.exeJoe Sandbox ML: detected
                    Source: 6.0.hawkgoods.exe.670000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 6.0.hawkgoods.exe.670000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 36.0.hawkgoods.exe.3d0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 36.0.hawkgoods.exe.3d0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 38.0.Matiexgoods.exe.6e0000.0.unpackAvira: Label: TR/Redcap.jajcu
                    Source: 33.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 33.2.RegAsm.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Redcap.jajcu
                    Source: 33.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 4.2.RegAsm.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 4.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Redcap.jajcu
                    Source: 4.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.Matiexgoods.exe.320000.0.unpackAvira: Label: TR/Redcap.jajcu
                    Source: 6.2.hawkgoods.exe.670000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 6.2.hawkgoods.exe.670000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 36.2.hawkgoods.exe.3d0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 36.2.hawkgoods.exe.3d0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473

                    Compliance:

                    barindex
                    Uses 32bit PE filesShow sources
                    Source: Orders.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Uses insecure TLS / SSL version for HTTPS connectionShow sources
                    Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.7:49727 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.7:49795 version: TLS 1.0
                    Uses new MSVCR DllsShow sources
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                    Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                    Source: Orders.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Binary contains paths to debug symbolsShow sources
                    Source: Binary string: crypt32.pdbPq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Data.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: System.Runtime.Remoting.pdbmoting.pdbpdbing.pdbg\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.521259044.000000000850B000.00000004.00000010.sdmp
                    Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.261989055.0000000003001000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.304085639.0000000004D25000.00000004.00000001.sdmp
                    Source: Binary string: oleaut32.pdb~q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.283061091.0000000005290000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp
                    Source: Binary string: iphlpapi.pdbYnL source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.264528925.0000000002FF5000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.304143187.0000000002D30000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.519656085.0000000007A0A000.00000004.00000010.sdmp
                    Source: Binary string: winnsi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: .pdb%H source: Orders.exe, 00000001.00000002.347167412.0000000000EF8000.00000004.00000010.sdmp
                    Source: Binary string: wwin32u.pdbdq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Configuration.pdbu source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: wimm32.pdbrq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, hawkgoods.exe
                    Source: Binary string: @Cosymbols\dll\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.521259044.000000000850B000.00000004.00000010.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, hawkgoods.exe
                    Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: i.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, Matiexgoods.exe, 00000009.00000000.253083713.0000000000322000.00000002.00020000.sdmp
                    Source: Binary string: ole32.pdb(q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: C:\Users\user\Desktop\Orders.PDB source: Orders.exe, 00000001.00000002.347167412.0000000000EF8000.00000004.00000010.sdmp
                    Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: winhttp.pdb;nb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: pnrpnsp.pdbCnJ source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: nsi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: ws2_32.pdbo source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.495266198.0000000002AC7000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.261989055.0000000003001000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.307051340.0000000002D3C000.00000004.00000001.sdmp
                    Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp
                    Source: Binary string: System.Runtime.Remoting.pdbcal\Temp\hawkgoods.exeAAX source: hawkgoods.exe, 00000006.00000002.495266198.0000000002AC7000.00000004.00000040.sdmp
                    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: Orders.PDB source: Orders.exe, 00000001.00000002.347167412.0000000000EF8000.00000004.00000010.sdmp
                    Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Data.DataSetExtensions.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: RunPE.pdb source: Orders.exe, 00000001.00000002.357040071.0000000002FFB000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: cfgmgr32.pdb<q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdb>> source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: oC:\Windows\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.519656085.0000000007A0A000.00000004.00000010.sdmp
                    Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdb%o source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msvcr80.i386.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msvcp_win.pdb#o source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb_ source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: i.pdb" source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: System.pdbu source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: hawkgoods.exe, 00000006.00000002.492246484.0000000000D40000.00000004.00000020.sdmp
                    Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdbHs source: hawkgoods.exe, 00000006.00000002.519656085.0000000007A0A000.00000004.00000010.sdmp
                    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.283061091.0000000005290000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorjit.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdb.q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Runtime.Remoting.pdb0| source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp
                    Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: fastprox.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: winrnr.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msctf.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: i0C:\Windows\mscorlib.pdb source: Orders.exe, 00000001.00000002.347167412.0000000000EF8000.00000004.00000010.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Core.pdb"" source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.282564070.0000000005291000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: shcore.pdbVq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000B.00000003.282564070.0000000005291000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: System.Xml.ni.pdb% source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: clrjit.pdbxq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc.pdb=nh source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.283061091.0000000005290000.00000004.00000040.sdmp
                    Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdb/o source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.262032380.0000000003007000.00000004.00000001.sdmp
                    Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorjit.pdbs source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: profapi.pdb0q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: shell32.pdbx source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Windows.Forms.pdb7 source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: powrprof.pdb6q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: wintrust.pdbq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp
                    Source: Binary string: oC:\Windows\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.521259044.000000000850B000.00000004.00000010.sdmp
                    Source: Binary string: System.pdb7o source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: symbols\dll\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.519656085.0000000007A0A000.00000004.00000010.sdmp
                    Source: Binary string: WLDP.pdbjq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: Kernel.Appcore.pdbW source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, Matiexgoods.exe, 00000009.00000000.253083713.0000000000322000.00000002.00020000.sdmp
                    Source: Binary string: msvcr120_clr0400.i386.pdbP source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdbN source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: Windows.Storage.pdbP source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: sechost.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: DWrite.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msctf.pdbknR source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Management.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Data.DataSetExtensions.pdb source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdbd source: hawkgoods.exe, 00000006.00000002.495178056.0000000002AC0000.00000004.00000040.sdmp
                    Source: Binary string: bcrypt.pdbmnX source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: rawing.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.283061091.0000000005290000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: fastprox.pdb)n source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: version.pdb"q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: winhttp.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: oleaut32.pdbEnp source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: rtutils.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: edputil.pdbOn~ source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.264528925.0000000002FF5000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.304143187.0000000002D30000.00000004.00000001.sdmp
                    Source: Binary string: mscorwks.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: indows\System.Runtime.Remoting.pdbpdbing.pdbd source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdbanT source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: hawkgoods.exe, 00000006.00000002.521259044.000000000850B000.00000004.00000010.sdmp
                    Source: Binary string: wUxTheme.pdb9o source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: shfolder.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: rasman.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, hawkgoods.exe
                    Source: Binary string: System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdbMo source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.492246484.0000000000D40000.00000004.00000020.sdmp
                    Source: Binary string: ata.DataSetExtensions.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: psapi.pdb'n source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: rasapi32.pdbWnF source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorrc.pdb source: hawkgoods.exe, 00000006.00000002.506186983.0000000004FD0000.00000002.00000001.sdmp
                    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.283061091.0000000005290000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: psapi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.262032380.0000000003007000.00000004.00000001.sdmp
                    Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: hawkgoods.exe, 00000006.00000002.519656085.0000000007A0A000.00000004.00000010.sdmp
                    Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdb1nd source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: edputil.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: hawkgoods.exeBinary or memory string: autorun.inf
                    Source: hawkgoods.exeBinary or memory string: [autorun]
                    Source: WerFault.exe, 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: WerFault.exe, 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then call 02A61B20h
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then jmp 02A61A73h
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then jmp 02A61A73h
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then call 02A61B20h
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then mov esp, ebp
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]

                    Networking:

                    barindex
                    May check the online IP address of the machineShow sources
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: global trafficTCP traffic: 192.168.2.7:49738 -> 199.193.7.228:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 131.186.161.70 131.186.161.70
                    Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: global trafficTCP traffic: 192.168.2.7:49738 -> 199.193.7.228:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.7:49727 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.7:49795 version: TLS 1.0
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00DDA14A recv,
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.503829429.0000000003E11000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.503829429.0000000003E11000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: hawkgoods.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                    Source: origigoods40.exe, 00000008.00000002.445240887.0000000002501000.00000004.00000001.sdmp, origigoods20.exe, 0000000A.00000002.448946669.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: origigoods20.exe, 0000000A.00000002.448946669.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: origigoods20.exe, 0000000A.00000002.456583086.000000000305E000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: origigoods20.exe, 0000000A.00000002.512148799.0000000006BA0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.503829429.0000000003E11000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: powershell.exe, 00000002.00000002.357079299.0000000003489000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: origigoods20.exe, 0000000A.00000002.512148799.0000000006BA0000.00000004.00000001.sdmpString found in binary or memory: http://crl.usertrust.
                    Source: origigoods20.exe, 0000000A.00000002.450298777.0000000002EBD000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: origigoods40.exe, 00000008.00000002.445240887.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://csARxe.com
                    Source: hawkgoods.exe, 00000006.00000003.258792974.000000000545B000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipnrC
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: Matiexgoods.exe, 00000009.00000003.390945104.0000000000A11000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                    Source: Matiexgoods.exe, 00000009.00000003.390945104.0000000000A11000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                    Source: Matiexgoods.exe, 00000009.00000003.390945104.0000000000A11000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
                    Source: powershell.exe, 00000002.00000002.371690291.0000000006045000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.503829429.0000000003E11000.00000004.00000001.sdmp, origigoods20.exe, 0000000A.00000002.456583086.000000000305E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: origigoods20.exe, 0000000A.00000002.450298777.0000000002EBD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: powershell.exe, 00000002.00000002.362042809.0000000005122000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000002.00000002.362042809.0000000005122000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png8
                    Source: WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                    Source: WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                    Source: WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                    Source: WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                    Source: WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                    Source: WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                    Source: WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                    Source: powershell.exe, 00000002.00000002.360238676.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                    Source: WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                    Source: WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                    Source: WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                    Source: WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                    Source: WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                    Source: WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                    Source: Orders.exe, powershell.exe, 00000002.00000003.344051726.0000000009925000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
                    Source: hawkgoods.exe, 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                    Source: hawkgoods.exeString found in binary or memory: http://whatismyipaddress.com/
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, WerFault.exe, 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: powershell.exe, 00000002.00000002.362042809.0000000005122000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000002.00000002.362042809.0000000005122000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html8
                    Source: hawkgoods.exe, 00000006.00000003.258405247.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: hawkgoods.exe, 00000006.00000003.258405247.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comE
                    Source: hawkgoods.exe, 00000006.00000003.258445747.000000000545B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTex
                    Source: hawkgoods.exe, 00000006.00000003.258405247.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
                    Source: hawkgoods.exe, 00000006.00000003.258405247.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
                    Source: hawkgoods.exe, 00000006.00000003.258445747.000000000545B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comicrtg
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: hawkgoods.exe, 00000006.00000003.257987873.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                    Source: hawkgoods.exe, 00000006.00000003.258445747.000000000545B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comri
                    Source: hawkgoods.exe, 00000006.00000003.258405247.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: hawkgoods.exe, 00000006.00000002.509667210.0000000005450000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comH
                    Source: hawkgoods.exe, 00000006.00000002.509667210.0000000005450000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaU
                    Source: hawkgoods.exe, 00000006.00000003.269541699.000000000545A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituF
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: hawkgoods.exe, 00000006.00000003.257505914.000000000547F000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: hawkgoods.exe, 00000006.00000003.256876634.000000000545B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnE
                    Source: hawkgoods.exe, 00000006.00000003.257048632.000000000547F000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: hawkgoods.exe, 00000006.00000003.261120195.0000000005457000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: hawkgoods.exe, 00000006.00000003.261120195.0000000005457000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-
                    Source: hawkgoods.exe, 00000006.00000003.261120195.0000000005457000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-ca
                    Source: hawkgoods.exe, 00000006.00000003.260284177.0000000005459000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
                    Source: hawkgoods.exe, 00000006.00000003.261120195.0000000005457000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
                    Source: hawkgoods.exe, 00000006.00000003.261120195.0000000005457000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e
                    Source: hawkgoods.exe, 00000006.00000003.261120195.0000000005457000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: hawkgoods.exe, 00000006.00000003.259781833.0000000005456000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-
                    Source: hawkgoods.exe, 00000006.00000003.261120195.0000000005457000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
                    Source: hawkgoods.exe, 00000006.00000003.260284177.0000000005459000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r-t
                    Source: hawkgoods.exe, 00000006.00000002.503829429.0000000003E11000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: hawkgoods.exe, 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: hawkgoods.exe, 00000006.00000003.258792974.000000000545B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comBs
                    Source: hawkgoods.exe, 00000006.00000003.257505914.000000000547F000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comxIC
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: hawkgoods.exe, 00000006.00000003.257893151.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                    Source: origigoods20.exe, 0000000A.00000002.448946669.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: http://yQFlsb.com
                    Source: origigoods20.exe, 0000000A.00000002.448946669.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                    Source: powershell.exe, 00000002.00000002.371690291.0000000006045000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000002.00000002.371690291.0000000006045000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000002.00000002.371690291.0000000006045000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000002.00000002.362042809.0000000005122000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000002.00000002.362042809.0000000005122000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester8
                    Source: hawkgoods.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: powershell.exe, 00000002.00000002.371690291.0000000006045000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: origigoods20.exe, 0000000A.00000002.450298777.0000000002EBD000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: hawkgoods.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.251635347.0000000003EBD000.00000004.00000001.sdmp, origigoods40.exe, origigoods20.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: origigoods20.exe, 0000000A.00000002.448946669.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.489137354.0000000000672000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.396471028.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.403481991.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Orders.exe PID: 6824, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
                    Source: Yara matchFile source: 6.0.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.0.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.2.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Contains functionality to log keystrokes (.Net Source)Show sources
                    Source: hawkgoods.exe.4.dr, Form1.cs.Net Code: HookKeyboard
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 6.2.hawkgoods.exe.670000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Installs a global keyboard hookShow sources
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWindows user hook set: 0 keyboard low level C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe
                    Source: origigoods20.exe, 0000000A.00000002.423201013.0000000000CAB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary:

                    barindex
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000006.00000002.489137354.0000000000672000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000006.00000002.489137354.0000000000672000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000024.00000000.396471028.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000024.00000000.396471028.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000024.00000002.403481991.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000024.00000002.403481991.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 36.0.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 36.0.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 6.2.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 6.2.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 36.2.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 36.2.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    .NET source code contains very large array initializationsShow sources
                    Source: 8.2.origigoods40.exe.f0000.0.unpack, u003cPrivateImplementationDetailsu003eu007b772D8D2Cu002d540Eu002d45C7u002dB77Bu002d87944040F8A1u007d/u0033BD2C1DBu002d851Du002d4774u002dA593u002d2F90268EC16C.csLarge array initialization: .cctor: array initializer size 11965
                    Source: 8.0.origigoods40.exe.f0000.0.unpack, u003cPrivateImplementationDetailsu003eu007b772D8D2Cu002d540Eu002d45C7u002dB77Bu002d87944040F8A1u007d/u0033BD2C1DBu002d851Du002d4774u002dA593u002d2F90268EC16C.csLarge array initialization: .cctor: array initializer size 11965
                    Initial sample is a PE file and has a suspicious nameShow sources
                    Source: initial sampleStatic PE information: Filename: Orders.exe
                    Powershell drops PE fileShow sources
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A958C6 NtSetContextThread,
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A9581E NtQuerySystemInformation,
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A9596E NtWriteVirtualMemory,
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A95898 NtSetContextThread,
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A957DA NtQuerySystemInformation,
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A95941 NtWriteVirtualMemory,
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeCode function: 10_2_00ECB16A NtQuerySystemInformation,
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeCode function: 10_2_00ECB139 NtQuerySystemInformation,
                    Source: C:\Users\user\Desktop\Orders.exeCode function: 1_2_00923F2E
                    Source: C:\Users\user\Desktop\Orders.exeCode function: 1_2_01538808
                    Source: C:\Users\user\Desktop\Orders.exeCode function: 1_2_01537698
                    Source: C:\Users\user\Desktop\Orders.exeCode function: 1_2_0153C540
                    Source: C:\Users\user\Desktop\Orders.exeCode function: 1_2_0153C4DF
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00DCDD17
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00DCDD17
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00DC1618
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_010F12B8
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_010FD768
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_010FD768
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_010FD768
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_010F12B8
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_010F12B8
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_010F12B8
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_010F12B8
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_010F716B
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_0067D426
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_0067D523
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_0068D5AE
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00687646
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_006B29BE
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_006B6AF4
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_006DABFC
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_006D3C4D
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_006D3CBE
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_006D3D2F
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_0067ED03
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_006D3DC0
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_0068AFA6
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_0067CF92
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A68710
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A66048
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A65758
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A67088
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A67098
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A61D98
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_006AC7BC
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeCode function: 8_2_000F5804
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeCode function: 8_2_000F2296
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeCode function: 8_2_008446A0
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeCode function: 8_2_008445B0
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeCode function: 8_2_0084D300
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: String function: 006BBA9D appears 35 times
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 1104
                    Source: hawkgoods.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: hawkgoods.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: hawkgoods.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Orders.exeBinary or memory string: OriginalFilename vs Orders.exe
                    Source: Orders.exe, 00000001.00000002.357040071.0000000002FFB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs Orders.exe
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Orders.exe
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Orders.exe
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Orders.exe
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Orders.exe
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameyuhttCAxwLFZshSGnwmMrfvGZfDSzxEDrzwk.exe4 vs Orders.exe
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVNXT.exe* vs Orders.exe
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameE.exe4 vs Orders.exe
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameczzfIDlMOIuCXDkvbHSanvcpuIRYWjNm.exe4 vs Orders.exe
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD
                    Source: Orders.exe, 00000001.00000002.368747808.0000000005400000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Orders.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: security.dll
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: security.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: security.dll
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: security.dll
                    Source: Orders.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000006.00000002.520293841.0000000007DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000006.00000002.489137354.0000000000672000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000006.00000002.489137354.0000000000672000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000006.00000002.520422224.0000000007DF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000024.00000000.396471028.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000024.00000000.396471028.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000024.00000002.403481991.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000024.00000002.403481991.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 6.2.hawkgoods.exe.7da0000.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 36.0.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 36.0.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 36.0.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 6.2.hawkgoods.exe.7df0000.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 6.2.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 6.2.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 6.2.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 36.2.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 36.2.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 36.2.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: Orders.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: I$s#$lT3ssl.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: hawkgoods.exe.4.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: hawkgoods.exe.4.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: hawkgoods.exe.4.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: hawkgoods.exe.4.dr, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: hawkgoods.exe.4.dr, Form1.csBase64 encoded string: 'hxYuBRkiiqF2m5U/v+PiR2nswhUqG0SslS0sInRy44yND2XYDxDtrDNZ25ZQ5u6E', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, Form1.csBase64 encoded string: 'hxYuBRkiiqF2m5U/v+PiR2nswhUqG0SslS0sInRy44yND2XYDxDtrDNZ25ZQ5u6E', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 6.2.hawkgoods.exe.670000.0.unpack, Form1.csBase64 encoded string: 'hxYuBRkiiqF2m5U/v+PiR2nswhUqG0SslS0sInRy44yND2XYDxDtrDNZ25ZQ5u6E', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@42/37@63/7
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A94E52 AdjustTokenPrivileges,
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A94E1B AdjustTokenPrivileges,
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeCode function: 10_2_00ECAFEE AdjustTokenPrivileges,
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeCode function: 10_2_00ECAFB7 AdjustTokenPrivileges,
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210201Jump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7064
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5184
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_01
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess976
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1404:120:WilError_01
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6824
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03w4pbbs.uza.ps1Jump to behavior
                    Source: Orders.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\Desktop\Orders.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Orders.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, hawkgoods.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, hawkgoods.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.503829429.0000000003E11000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, hawkgoods.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, hawkgoods.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: Orders.exeBinary or memory string: INSERT INTO [dbo].[UsersTable] ([Id], [userName], [passWord], [locked]) VALUES (@Id, @userName, @passWord, @locked); SELECT Id, us
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, hawkgoods.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, hawkgoods.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: powershell.exe, 00000002.00000003.344051726.0000000009925000.00000004.00000001.sdmpBinary or memory string: UPDATE [dbo].[UsersTable] SET [Id] = @Id, [userName] = @userName, [passWord] = @passWord, [locked] = @locked WHERE (([Id] = @Original_Id) AND ([userName] = @Original_userName) AND ([passWord] = @Original_passWord) AND ([locked] = @Original_locked));
                    Source: Orders.exeReversingLabs: Detection: 22%
                    Source: C:\Users\user\Desktop\Orders.exeFile read: C:\Users\user\Desktop\Orders.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Orders.exe 'C:\Users\user\Desktop\Orders.exe'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Orders.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 1104
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2132
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 2132
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 176
                    Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 1096
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                    Source: C:\Users\user\Desktop\Orders.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Orders.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                    Source: C:\Users\user\Desktop\Orders.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2132
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess created: unknown unknown
                    Source: C:\Users\user\Desktop\Orders.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Orders.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: Orders.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Orders.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: Orders.exeStatic file information: File size 1630720 > 1048576
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                    Source: Orders.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x18d800
                    Source: Orders.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: crypt32.pdbPq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Data.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: System.Runtime.Remoting.pdbmoting.pdbpdbing.pdbg\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.521259044.000000000850B000.00000004.00000010.sdmp
                    Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.261989055.0000000003001000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.304085639.0000000004D25000.00000004.00000001.sdmp
                    Source: Binary string: oleaut32.pdb~q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.283061091.0000000005290000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp
                    Source: Binary string: iphlpapi.pdbYnL source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.264528925.0000000002FF5000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.304143187.0000000002D30000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.519656085.0000000007A0A000.00000004.00000010.sdmp
                    Source: Binary string: winnsi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: .pdb%H source: Orders.exe, 00000001.00000002.347167412.0000000000EF8000.00000004.00000010.sdmp
                    Source: Binary string: wwin32u.pdbdq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Configuration.pdbu source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: wimm32.pdbrq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, hawkgoods.exe
                    Source: Binary string: @Cosymbols\dll\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.521259044.000000000850B000.00000004.00000010.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, hawkgoods.exe
                    Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: i.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, Matiexgoods.exe, 00000009.00000000.253083713.0000000000322000.00000002.00020000.sdmp
                    Source: Binary string: ole32.pdb(q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: C:\Users\user\Desktop\Orders.PDB source: Orders.exe, 00000001.00000002.347167412.0000000000EF8000.00000004.00000010.sdmp
                    Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: winhttp.pdb;nb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: pnrpnsp.pdbCnJ source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: nsi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: ws2_32.pdbo source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.495266198.0000000002AC7000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.261989055.0000000003001000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.307051340.0000000002D3C000.00000004.00000001.sdmp
                    Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp
                    Source: Binary string: System.Runtime.Remoting.pdbcal\Temp\hawkgoods.exeAAX source: hawkgoods.exe, 00000006.00000002.495266198.0000000002AC7000.00000004.00000040.sdmp
                    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: Orders.PDB source: Orders.exe, 00000001.00000002.347167412.0000000000EF8000.00000004.00000010.sdmp
                    Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Data.DataSetExtensions.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: RunPE.pdb source: Orders.exe, 00000001.00000002.357040071.0000000002FFB000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: cfgmgr32.pdb<q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdb>> source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: oC:\Windows\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.519656085.0000000007A0A000.00000004.00000010.sdmp
                    Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdb%o source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msvcr80.i386.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msvcp_win.pdb#o source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb_ source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: i.pdb" source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: System.pdbu source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: hawkgoods.exe, 00000006.00000002.492246484.0000000000D40000.00000004.00000020.sdmp
                    Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdbHs source: hawkgoods.exe, 00000006.00000002.519656085.0000000007A0A000.00000004.00000010.sdmp
                    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.283061091.0000000005290000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorjit.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdb.q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Runtime.Remoting.pdb0| source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp
                    Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: fastprox.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: winrnr.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msctf.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: i0C:\Windows\mscorlib.pdb source: Orders.exe, 00000001.00000002.347167412.0000000000EF8000.00000004.00000010.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Core.pdb"" source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.282564070.0000000005291000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: shcore.pdbVq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000B.00000003.282564070.0000000005291000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: System.Xml.ni.pdb% source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: clrjit.pdbxq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc.pdb=nh source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.283061091.0000000005290000.00000004.00000040.sdmp
                    Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdb/o source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.262032380.0000000003007000.00000004.00000001.sdmp
                    Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorjit.pdbs source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: profapi.pdb0q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: shell32.pdbx source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Windows.Forms.pdb7 source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: powrprof.pdb6q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: wintrust.pdbq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp
                    Source: Binary string: oC:\Windows\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.521259044.000000000850B000.00000004.00000010.sdmp
                    Source: Binary string: System.pdb7o source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: symbols\dll\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.519656085.0000000007A0A000.00000004.00000010.sdmp
                    Source: Binary string: WLDP.pdbjq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: Kernel.Appcore.pdbW source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, Matiexgoods.exe, 00000009.00000000.253083713.0000000000322000.00000002.00020000.sdmp
                    Source: Binary string: msvcr120_clr0400.i386.pdbP source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdbN source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: Windows.Storage.pdbP source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: sechost.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: DWrite.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msctf.pdbknR source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Management.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Data.DataSetExtensions.pdb source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdbd source: hawkgoods.exe, 00000006.00000002.495178056.0000000002AC0000.00000004.00000040.sdmp
                    Source: Binary string: bcrypt.pdbmnX source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: rawing.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.283061091.0000000005290000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: fastprox.pdb)n source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: version.pdb"q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: winhttp.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: oleaut32.pdbEnp source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: rtutils.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: edputil.pdbOn~ source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.264528925.0000000002FF5000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.304143187.0000000002D30000.00000004.00000001.sdmp
                    Source: Binary string: mscorwks.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: indows\System.Runtime.Remoting.pdbpdbing.pdbd source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdbanT source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: hawkgoods.exe, 00000006.00000002.521259044.000000000850B000.00000004.00000010.sdmp
                    Source: Binary string: wUxTheme.pdb9o source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: shfolder.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: rasman.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, hawkgoods.exe
                    Source: Binary string: System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdbMo source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.492246484.0000000000D40000.00000004.00000020.sdmp
                    Source: Binary string: ata.DataSetExtensions.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: psapi.pdb'n source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: rasapi32.pdbWnF source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorrc.pdb source: hawkgoods.exe, 00000006.00000002.506186983.0000000004FD0000.00000002.00000001.sdmp
                    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.283061091.0000000005290000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: psapi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.262032380.0000000003007000.00000004.00000001.sdmp
                    Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: hawkgoods.exe, 00000006.00000002.519656085.0000000007A0A000.00000004.00000010.sdmp
                    Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdb1nd source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: edputil.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp

                    Data Obfuscation:

                    barindex
                    .NET source code contains potential unpackerShow sources
                    Source: hawkgoods.exe.4.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: hawkgoods.exe.4.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: hawkgoods.exe.4.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: hawkgoods.exe.4.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 6.2.hawkgoods.exe.670000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 6.2.hawkgoods.exe.670000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 6.2.hawkgoods.exe.670000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 6.2.hawkgoods.exe.670000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Binary contains a suspicious time stampShow sources
                    Source: initial sampleStatic PE information: 0xC3C29871 [Sat Jan 27 20:22:09 2074 UTC]
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00DCA1A8 push esp; iretd
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00DC5218 push eax; mov dword ptr [esp], ecx
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00DC8B17 push eax; mov dword ptr [esp], edx
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00DC8DA0 push eax; mov dword ptr [esp], edx
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_010FDE90 push FFFFFFC3h; ret
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_006E0712 push eax; ret
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_006E0712 push eax; ret
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_006BBA9D push eax; ret
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_006BBA9D push eax; ret
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00DE7EF4 push eax; ret
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00DE7B84 push ebx; retf
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00DE7B81 push ebx; retf
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.95293663991
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.95293663991
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\origigoods40.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\hawkgoods.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\origigoods20.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeJump to dropped file

                    Boot Survival:

                    barindex
                    Drops PE files to the startup folderShow sources
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe\:Zone.Identifier:$DATAJump to behavior

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Changes the view of files in windows explorer (hidden files and folders)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Orders.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Yara detected AntiVM_3Show sources
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6896, type: MEMORY
                    Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFunction Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,memAlloc,memAlloc,memAlloc,threadDelayed,memAlloc
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFunction Chain: memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc
                    Opens the same file many times (likely Sandbox evasion)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile opened: C:\Users\user\AppData\Local\Temp\holderwb.txt count: 31050
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeThread delayed: delay time: 300000
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeThread delayed: delay time: 180000
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2203
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1108
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWindow / User API: threadDelayed 5223
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWindow / User API: threadDelayed 4566
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWindow / User API: threadDelayed 1185
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWindow / User API: threadDelayed 8466
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3480
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2575
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWindow / User API: threadDelayed 2437
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWindow / User API: threadDelayed 7323
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWindow / User API: threadDelayed 1360
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWindow / User API: threadDelayed 4198
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWindow / User API: threadDelayed 361
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6980Thread sleep count: 2203 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6980Thread sleep count: 1108 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3748Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7028Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 7156Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 5588Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 2236Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 5512Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6580Thread sleep time: -180000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 6656Thread sleep time: -27670116110564310s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 6652Thread sleep count: 5223 > 30
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 6652Thread sleep count: 4566 > 30
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -20291418481080494s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -99829s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -99704s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -99547s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -99438s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -198594s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -99188s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -99047s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -98938s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -98829s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -98688s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -98579s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -98438s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -98297s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -98188s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -196094s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -195876s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -97829s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -97688s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -97579s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -194876s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -194594s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -97188s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -97047s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -96922s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -96813s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -99859s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -99750s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -99625s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -99516s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -99406s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -99109s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -99000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -98891s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -98781s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -98672s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -98563s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -98406s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -98156s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -97797s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -97656s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -97547s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5228Thread sleep time: -97156s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 6204Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 6204Thread sleep count: 110 > 30
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 6204Thread sleep time: -3300000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 6204Thread sleep time: -60000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 6612Thread sleep count: 224 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5412Thread sleep count: 3480 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5412Thread sleep count: 2575 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4660Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6568Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 5716Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 5576Thread sleep time: -14757395258967632s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 5152Thread sleep count: 2437 > 30
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 5152Thread sleep count: 7323 > 30
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -9223372036854770s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2640Thread sleep count: 1360 > 30
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -99797s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2640Thread sleep count: 4198 > 30
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -99688s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -99563s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -99453s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -99344s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -99234s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -99125s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -99016s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -98906s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -98797s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -98688s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -98547s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -98438s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -98328s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -98219s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -98094s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -97938s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -97797s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -97688s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -97547s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -97438s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -97328s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -97219s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -97109s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -97000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -96875s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -96766s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -99828s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 4500Thread sleep time: -99719s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 5732Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 5732Thread sleep count: 115 > 30
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 5732Thread sleep time: -3450000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 5732Thread sleep time: -60000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 5140Thread sleep count: 361 > 30
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 5732Thread sleep time: -39344s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 5732Thread sleep time: -38718s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A964EA GetSystemInfo,
                    Source: powershell.exe, 00000002.00000002.362042809.0000000005122000.00000004.00000001.sdmpBinary or memory string: Hyper-V
                    Source: origigoods20.exe, 0000000A.00000003.353466373.0000000000D68000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWices\Tcpip\Parameters|TcpMax
                    Source: hawkgoods.exe, 00000006.00000002.516643271.0000000007030000.00000002.00000001.sdmp, origigoods40.exe, 00000008.00000002.470696936.00000000056F0000.00000002.00000001.sdmp, origigoods20.exe, 0000000A.00000002.477580261.0000000005600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.340171504.0000000005420000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: WerFault.exe, 0000000B.00000003.327330446.0000000004D91000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                    Source: origigoods20.exe, 0000000A.00000002.512148799.0000000006BA0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltory
                    Source: WerFault.exe, 0000000B.00000002.338657008.0000000004D5C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWi
                    Source: hawkgoods.exe, 00000006.00000002.516643271.0000000007030000.00000002.00000001.sdmp, origigoods40.exe, 00000008.00000002.470696936.00000000056F0000.00000002.00000001.sdmp, origigoods20.exe, 0000000A.00000002.477580261.0000000005600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.340171504.0000000005420000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: hawkgoods.exe, 00000006.00000002.516643271.0000000007030000.00000002.00000001.sdmp, origigoods40.exe, 00000008.00000002.470696936.00000000056F0000.00000002.00000001.sdmp, origigoods20.exe, 0000000A.00000002.477580261.0000000005600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.340171504.0000000005420000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: powershell.exe, 00000002.00000002.362042809.0000000005122000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                    Source: hawkgoods.exe, 00000006.00000002.516643271.0000000007030000.00000002.00000001.sdmp, origigoods40.exe, 00000008.00000002.470696936.00000000056F0000.00000002.00000001.sdmp, origigoods20.exe, 0000000A.00000002.477580261.0000000005600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.340171504.0000000005420000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\Orders.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\Orders.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess queried: DebugPort
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A677F0 LdrInitializeThunk,
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\Orders.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    .NET source code references suspicious native API functionsShow sources
                    Source: hawkgoods.exe.4.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: hawkgoods.exe.4.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 6.0.hawkgoods.exe.670000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 6.2.hawkgoods.exe.670000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 6.2.hawkgoods.exe.670000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 8.2.origigoods40.exe.f0000.0.unpack, A/b2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 8.0.origigoods40.exe.f0000.0.unpack, A/b2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Allocates memory in foreign processesShow sources
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 1D0000 protect: page execute and read and write
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Bypasses PowerShell execution policyShow sources
                    Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Orders.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Sample uses process hollowing techniqueShow sources
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 0
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Writes to foreign memory regionsShow sources
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\Orders.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Orders.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                    Source: C:\Users\user\Desktop\Orders.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2132
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess created: unknown unknown
                    Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                    Source: C:\Users\user\Desktop\Orders.exeQueries volume information: C:\Users\user\Desktop\Orders.exe VolumeInformation
                    Source: C:\Users\user\Desktop\Orders.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Orders.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Orders.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Orders.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Orders.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Orders.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Orders.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Users\user\AppData\Local\Temp\origigoods40.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: unknown VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Users\user\AppData\Local\Temp\origigoods40.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Orders.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Lowering of HIPS / PFW / Operating System Security Settings:

                    barindex
                    Uses netsh to modify the Windows network and firewall settingsShow sources
                    Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                    Source: hawkgoods.exe, 00000006.00000002.492246484.0000000000D40000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000025.00000000.399012238.0000000000E72000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000000.408264262.0000000000532000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.409742316.0000000003D5B000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.401891116.0000000001453000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.251635347.0000000003EBD000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.402397368.000000000405D000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.256024655.0000000001293000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.413799540.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.255331829.0000000003EBD000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.416654984.0000000000682000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.251123537.00000000000F2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.249596324.0000000001293000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.254611636.0000000003BAB000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.255709181.0000000003E51000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.392335998.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.249733611.0000000003BAB000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.397781851.0000000003D5B000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.251501400.0000000001293000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.254178193.0000000000682000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.427828296.00000000000F2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.402832252.0000000003D5B000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.388318104.0000000001453000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.412233865.000000000405D000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.397017946.0000000001453000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.445240887.0000000002501000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.448946669.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.246897806.0000000001293000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.415754718.0000000001453000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.246965930.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.251891646.0000000003BAB000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: origigoods20.exe PID: 5580, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: origigoods40.exe PID: 7116, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\origigoods20.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\origigoods40.exe, type: DROPPED
                    Source: Yara matchFile source: 10.0.origigoods20.exe.680000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 39.0.origigoods20.exe.530000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 37.0.origigoods40.exe.e70000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.origigoods40.exe.f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.origigoods40.exe.f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.origigoods20.exe.680000.0.unpack, type: UNPACKEDPE
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.489137354.0000000000672000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.396471028.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.403481991.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Orders.exe PID: 6824, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
                    Source: Yara matchFile source: 6.0.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.0.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.2.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Yara detected MailPassViewShow sources
                    Source: Yara matchFile source: 00000006.00000002.503829429.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.489137354.0000000000672000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.396471028.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.403481991.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Orders.exe PID: 6824, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
                    Source: Yara matchFile source: 6.0.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.0.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.2.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Yara detected Matiex KeyloggerShow sources
                    Source: Yara matchFile source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.253083713.0000000000322000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.405296344.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.399192472.0000000003940000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.400705321.0000000003940000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.391416001.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Orders.exe PID: 6824, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, type: DROPPED
                    Source: Yara matchFile source: 38.0.Matiexgoods.exe.6e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Matiexgoods.exe.320000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal WLAN passwordsShow sources
                    Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                    Tries to harvest and steal ftp login credentialsShow sources
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Yara detected WebBrowserPassView password recovery toolShow sources
                    Source: Yara matchFile source: 00000006.00000002.503829429.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.489137354.0000000000672000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.396471028.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.403481991.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Orders.exe PID: 6824, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
                    Source: Yara matchFile source: 6.0.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.0.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.2.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.445240887.0000000002501000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.448946669.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: origigoods20.exe PID: 5580, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: origigoods40.exe PID: 7116, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Detected HawkEye RatShow sources
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: hawkgoods.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                    Source: hawkgoods.exeString found in binary or memory: HawkEyeKeylogger
                    Source: hawkgoods.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                    Source: hawkgoods.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                    Source: hawkgoods.exe, 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: hawkgoods.exe, 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: hawkgoods.exe, 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: hawkgoods.exe, 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: hawkgoods.exe, 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                    Source: hawkgoods.exe, 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                    Source: WerFault.exe, 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: WerFault.exe, 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: WerFault.exe, 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: WerFault.exe, 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000025.00000000.399012238.0000000000E72000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000000.408264262.0000000000532000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.409742316.0000000003D5B000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.401891116.0000000001453000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.251635347.0000000003EBD000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.402397368.000000000405D000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.256024655.0000000001293000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.413799540.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.255331829.0000000003EBD000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.416654984.0000000000682000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.251123537.00000000000F2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.249596324.0000000001293000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.254611636.0000000003BAB000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.255709181.0000000003E51000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.392335998.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.249733611.0000000003BAB000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.397781851.0000000003D5B000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.251501400.0000000001293000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.254178193.0000000000682000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.427828296.00000000000F2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.402832252.0000000003D5B000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.388318104.0000000001453000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.412233865.000000000405D000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.397017946.0000000001453000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.445240887.0000000002501000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.448946669.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.246897806.0000000001293000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.415754718.0000000001453000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.246965930.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.251891646.0000000003BAB000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: origigoods20.exe PID: 5580, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: origigoods40.exe PID: 7116, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\origigoods20.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\origigoods40.exe, type: DROPPED
                    Source: Yara matchFile source: 10.0.origigoods20.exe.680000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 39.0.origigoods20.exe.530000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 37.0.origigoods40.exe.e70000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.origigoods40.exe.f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.origigoods40.exe.f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.origigoods20.exe.680000.0.unpack, type: UNPACKEDPE
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.489137354.0000000000672000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.396471028.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.403481991.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Orders.exe PID: 6824, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
                    Source: Yara matchFile source: 6.0.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.0.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.hawkgoods.exe.670000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.2.hawkgoods.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Yara detected Matiex KeyloggerShow sources
                    Source: Yara matchFile source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.253083713.0000000000322000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.405296344.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.399192472.0000000003940000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.400705321.0000000003940000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000003.391416001.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Orders.exe PID: 6824, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, type: DROPPED
                    Source: Yara matchFile source: 38.0.Matiexgoods.exe.6e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Matiexgoods.exe.320000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A90A8E listen,
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A90E9E bind,
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A90E6B bind,
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_02A90A50 listen,

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Replication Through Removable Media1Windows Management Instrumentation231Startup Items1Startup Items1Disable or Modify Tools211OS Credential Dumping2Peripheral Device Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsNative API2DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information11Input Capture211File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsShared Modules1Registry Run Keys / Startup Folder12Access Token Manipulation1Obfuscated Files or Information41Credentials in Registry1System Information Discovery126SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsCommand and Scripting Interpreter1Logon Script (Mac)Process Injection411Software Packing13NTDSQuery Registry1Distributed Component Object ModelInput Capture211Scheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsPowerShell2Network Logon ScriptRegistry Run Keys / Startup Folder12Timestomp1LSA SecretsSecurity Software Discovery261SSHClipboard Data1Data Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsVirtualization/Sandbox Evasion26VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol23Jamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncProcess Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion26Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection411Network SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                    Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 346555 Sample: Orders.exe Startdate: 01/02/2021 Architecture: WINDOWS Score: 100 84 smtp.privateemail.com 2->84 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 Sigma detected: Capture Wi-Fi password 2->108 110 21 other signatures 2->110 10 Orders.exe 2 2->10         started        12 I$s#$lT3ssl.exe 2->12         started        signatures3 process4 process5 14 RegAsm.exe 5 10->14         started        17 powershell.exe 16 10->17         started        20 WerFault.exe 10->20         started        22 RegAsm.exe 12->22         started        24 powershell.exe 12->24         started        26 WerFault.exe 12->26         started        file6 68 C:\Users\user\AppData\...\origigoods40.exe, PE32 14->68 dropped 70 C:\Users\user\AppData\...\origigoods20.exe, PE32 14->70 dropped 72 C:\Users\user\AppData\Local\...\hawkgoods.exe, PE32 14->72 dropped 74 C:\Users\user\AppData\...\Matiexgoods.exe, PE32 14->74 dropped 28 hawkgoods.exe 14 6 14->28         started        32 Matiexgoods.exe 15 5 14->32         started        34 origigoods20.exe 14->34         started        36 origigoods40.exe 2 14->36         started        76 C:\Users\user\AppData\...\I$s#$lT3ssl.exe, PE32 17->76 dropped 78 C:\Users\...\I$s#$lT3ssl.exe:Zone.Identifier, ASCII 17->78 dropped 100 Drops PE files to the startup folder 17->100 102 Powershell drops PE file 17->102 38 conhost.exe 17->38         started        80 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->80 dropped 40 origigoods20.exe 22->40         started        42 Matiexgoods.exe 22->42         started        46 2 other processes 22->46 44 conhost.exe 24->44         started        signatures7 process8 dnsIp9 86 178.229.4.0.in-addr.arpa 28->86 88 whatismyipaddress.com 104.16.155.36, 49724, 80 CLOUDFLARENETUS United States 28->88 112 Antivirus detection for dropped file 28->112 114 Multi AV Scanner detection for dropped file 28->114 116 Machine Learning detection for dropped file 28->116 136 7 other signatures 28->136 49 dw20.exe 28->49         started        52 WerFault.exe 28->52         started        54 vbc.exe 28->54         started        56 vbc.exe 28->56         started        90 checkip.dyndns.org 32->90 96 3 other IPs or domains 32->96 118 Tries to steal Mail credentials (via file access) 32->118 120 Tries to harvest and steal browser information (history, passwords, etc) 32->120 122 Tries to harvest and steal WLAN passwords 32->122 58 netsh.exe 32->58         started        92 smtp.privateemail.com 199.193.7.228, 49737, 49738, 49739 NAMECHEAP-NETUS United States 34->92 124 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 34->124 126 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 34->126 128 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 34->128 130 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->130 132 Tries to harvest and steal ftp login credentials 40->132 98 2 other IPs or domains 42->98 94 127.0.0.1 unknown unknown 46->94 82 C:\Users\user\AppData\...\hawkgoods.exe.log, ASCII 46->82 dropped file10 134 May check the online IP address of the machine 86->134 signatures11 process12 file13 64 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 49->64 dropped 66 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 52->66 dropped 60 WerFault.exe 54->60         started        62 conhost.exe 58->62         started        process14

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Orders.exe22%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    Orders.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\hawkgoods.exe100%AviraTR/AD.MExecute.lzrac
                    C:\Users\user\AppData\Local\Temp\hawkgoods.exe100%AviraSPR/Tool.MailPassView.473
                    C:\Users\user\AppData\Local\Temp\origigoods40.exe100%AviraTR/Spy.Gen8
                    C:\Users\user\AppData\Local\Temp\Matiexgoods.exe100%AviraTR/Redcap.jajcu
                    C:\Users\user\AppData\Local\Temp\origigoods20.exe100%AviraTR/Spy.Gen8
                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\hawkgoods.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\origigoods40.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\Matiexgoods.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\origigoods20.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\Matiexgoods.exe46%MetadefenderBrowse
                    C:\Users\user\AppData\Local\Temp\Matiexgoods.exe86%ReversingLabsByteCode-MSIL.Trojan.MatiexKeylogger
                    C:\Users\user\AppData\Local\Temp\hawkgoods.exe96%ReversingLabsByteCode-MSIL.Trojan.Golroted
                    C:\Users\user\AppData\Local\Temp\origigoods20.exe43%MetadefenderBrowse
                    C:\Users\user\AppData\Local\Temp\origigoods20.exe86%ReversingLabsByteCode-MSIL.Infostealer.DarkStealer
                    C:\Users\user\AppData\Local\Temp\origigoods40.exe43%MetadefenderBrowse
                    C:\Users\user\AppData\Local\Temp\origigoods40.exe83%ReversingLabsByteCode-MSIL.Infostealer.DarkStealer
                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe22%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    10.0.origigoods20.exe.680000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                    6.0.hawkgoods.exe.670000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    6.0.hawkgoods.exe.670000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    39.0.origigoods20.exe.530000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                    36.0.hawkgoods.exe.3d0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    36.0.hawkgoods.exe.3d0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    37.0.origigoods40.exe.e70000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                    8.2.origigoods40.exe.f0000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                    8.0.origigoods40.exe.f0000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                    38.0.Matiexgoods.exe.6e0000.0.unpack100%AviraTR/Redcap.jajcuDownload File
                    33.2.RegAsm.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    33.2.RegAsm.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    33.2.RegAsm.exe.400000.0.unpack100%AviraTR/Redcap.jajcuDownload File
                    33.2.RegAsm.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    4.2.RegAsm.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    4.2.RegAsm.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    4.2.RegAsm.exe.400000.0.unpack100%AviraTR/Redcap.jajcuDownload File
                    4.2.RegAsm.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.Matiexgoods.exe.320000.0.unpack100%AviraTR/Redcap.jajcuDownload File
                    10.2.origigoods20.exe.680000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                    6.2.hawkgoods.exe.670000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    6.2.hawkgoods.exe.670000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    36.2.hawkgoods.exe.3d0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    36.2.hawkgoods.exe.3d0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://tempuri.org/DataSet1.xsd0%Avira URL Cloudsafe
                    http://www.carterandcone.comva0%Avira URL Cloudsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://csARxe.com0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://checkip.dyndns.org/0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/r-t0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/-0%Avira URL Cloudsafe
                    http://www.tiro.comBs0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.carterandcone.como.0%URL Reputationsafe
                    http://www.carterandcone.como.0%URL Reputationsafe
                    http://www.carterandcone.como.0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    http://www.carterandcone.coma0%URL Reputationsafe
                    http://www.carterandcone.coma0%URL Reputationsafe
                    http://www.carterandcone.coma0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/U0%Avira URL Cloudsafe
                    http://www.carterandcone.come0%URL Reputationsafe
                    http://www.carterandcone.come0%URL Reputationsafe
                    http://www.carterandcone.come0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://ns.adobe.cobj0%URL Reputationsafe
                    http://ns.adobe.cobj0%URL Reputationsafe
                    http://ns.adobe.cobj0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://www.fontbureau.comaU0%Avira URL Cloudsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/H0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/H0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/H0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.fontbureau.comituF0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/-0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/e0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/e0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/e0%URL Reputationsafe
                    http://www.carterandcone.comri0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/H0%Avira URL Cloudsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    http://en.wikipnrC0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png80%Avira URL Cloudsafe
                    http://www.founder.com.cn/cnE0%Avira URL Cloudsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    whatismyipaddress.com
                    		104.16.155.36
                    		truefalse
                      		high
                      freegeoip.app
                      		172.67.188.154
                      		truefalse
                        		unknown
                        smtp.privateemail.com
                        		199.193.7.228
                        		truefalse
                          		high
                          checkip.dyndns.com
                          		216.146.43.71
                          		truefalse
                            		unknown
                            178.229.4.0.in-addr.arpa
                            		unknown
                            		unknowntrue
                              		unknown
                              checkip.dyndns.org
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://checkip.dyndns.org/false
                                • Avira URL Cloud: safe
                                		unknown
                                http://whatismyipaddress.com/false
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpfalse
                                    		high
                                    http://127.0.0.1:HTTP/1.1origigoods40.exe, 00000008.00000002.445240887.0000000002501000.00000004.00000001.sdmp, origigoods20.exe, 0000000A.00000002.448946669.0000000002E51000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpfalse
                                      		high
                                      http://tempuri.org/DataSet1.xsdOrders.exe, powershell.exe, 00000002.00000003.344051726.0000000009925000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.carterandcone.comvahawkgoods.exe, 00000006.00000003.258405247.0000000005480000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designershawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                          		high
                                          http://ns.adobe.c/gMatiexgoods.exe, 00000009.00000003.390945104.0000000000A11000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sajatypeworks.comhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://csARxe.comorigigoods40.exe, 00000008.00000002.445240887.0000000002501000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.founder.com.cn/cn/cThehawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/r-thawkgoods.exe, 00000006.00000003.260284177.0000000005459000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/-hawkgoods.exe, 00000006.00000003.261120195.0000000005457000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.371690291.0000000006045000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.tiro.comBshawkgoods.exe, 00000006.00000003.258792974.000000000545B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://whatismyipaddress.com/-Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, WerFault.exe, 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.galapagosdesign.com/DPleasehawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.site.com/logs.phphawkgoods.exe, 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.urwpp.deDPleasehawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.nirsoft.net/hawkgoods.exe, 00000006.00000002.503829429.0000000003E11000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.zhongyicts.com.cnhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.360238676.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.carterandcone.como.hawkgoods.exe, 00000006.00000003.257987873.0000000005480000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipOrders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.251635347.0000000003EBD000.00000004.00000001.sdmp, origigoods40.exe, origigoods20.exefalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#origigoods20.exe, 0000000A.00000002.450298777.0000000002EBD000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.carterandcone.comahawkgoods.exe, 00000006.00000003.258405247.0000000005480000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/Uhawkgoods.exe, 00000006.00000003.261120195.0000000005457000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.carterandcone.comehawkgoods.exe, 00000006.00000003.258405247.0000000005480000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.362042809.0000000005122000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://ns.adobe.cobjMatiexgoods.exe, 00000009.00000003.390945104.0000000000A11000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haorigigoods20.exe, 0000000A.00000002.448946669.0000000002E51000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.362042809.0000000005122000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.comaUhawkgoods.exe, 00000006.00000002.509667210.0000000005450000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://contoso.com/Iconpowershell.exe, 00000002.00000002.371690291.0000000006045000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.jiyu-kobo.co.jp/Hhawkgoods.exe, 00000006.00000003.260284177.0000000005459000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.362042809.0000000005122000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.carterandcone.comlhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.founder.com.cn/cn/hawkgoods.exe, 00000006.00000003.257505914.000000000547F000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.comituFhawkgoods.exe, 00000006.00000003.269541699.000000000545A000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/frere-jones.htmlhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.jiyu-kobo.co.jp/jp/-hawkgoods.exe, 00000006.00000003.259781833.0000000005456000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.jiyu-kobo.co.jp/ehawkgoods.exe, 00000006.00000003.261120195.0000000005457000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.carterandcone.comrihawkgoods.exe, 00000006.00000003.258445747.000000000545B000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designersGhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.com/designers/?hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.founder.com.cn/cn/bThehawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://ocsp.sectigo.com0origigoods20.exe, 0000000A.00000002.450298777.0000000002EBD000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers?hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.jiyu-kobo.co.jp/jp/Hhawkgoods.exe, 00000006.00000003.261120195.0000000005457000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://contoso.com/Licensepowershell.exe, 00000002.00000002.371690291.0000000006045000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://en.wikipnrChawkgoods.exe, 00000006.00000003.258792974.000000000545B000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.tiro.comhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.goodfont.co.krhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.carterandcone.comhawkgoods.exe, 00000006.00000003.258405247.0000000005480000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://pesterbdd.com/images/Pester.png8powershell.exe, 00000002.00000002.362042809.0000000005122000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.founder.com.cn/cnEhawkgoods.exe, 00000006.00000003.256876634.000000000545B000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.typography.netDhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.galapagosdesign.com/staff/dennis.htmhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://fontfabrik.comhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.carterandcone.comEhawkgoods.exe, 00000006.00000003.258405247.0000000005480000.00000004.00000001.sdmpfalse
                                                                              		unknown
                                                                              http://www.jiyu-kobo.co.jp/-cahawkgoods.exe, 00000006.00000003.261120195.0000000005457000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.tiro.comxIChawkgoods.exe, 00000006.00000003.257505914.000000000547F000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://contoso.com/powershell.exe, 00000002.00000002.371690291.0000000006045000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.founder.com.cn/cnahawkgoods.exe, 00000006.00000003.257048632.000000000547F000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://api.ipify.org%GETMozilla/5.0origigoods20.exe, 0000000A.00000002.448946669.0000000002E51000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		low
                                                                              https://login.yahoo.com/config/loginhawkgoods.exefalse
                                                                                		high
                                                                                http://www.fonts.comhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.sandoll.co.krhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.sakkal.comhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://github.com/Pester/Pester8powershell.exe, 00000002.00000002.362042809.0000000005122000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.371690291.0000000006045000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.apache.org/licenses/LICENSE-2.0hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://www.fontbureau.comhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://DynDns.comDynDNSorigigoods20.exe, 0000000A.00000002.448946669.0000000002E51000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://sectigo.com/CPS0origigoods20.exe, 0000000A.00000002.450298777.0000000002EBD000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://www.fontbureau.comHhawkgoods.exe, 00000006.00000002.509667210.0000000005450000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.carterandcone.comTexhawkgoods.exe, 00000006.00000003.258445747.000000000545B000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://whatismyipaddress.comhawkgoods.exe, 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://www.jiyu-kobo.co.jp/jp/hawkgoods.exe, 00000006.00000003.261120195.0000000005457000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://www.carterandcone.comicrtghawkgoods.exe, 00000006.00000003.258445747.000000000545B000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.apache.org/licenses/LICENSE-2.0.html8powershell.exe, 00000002.00000002.362042809.0000000005122000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.fontbureau.com/designers/cabarga.htmlNhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.founder.com.cn/cnhawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://crl.usertrust.origigoods20.exe, 0000000A.00000002.512148799.0000000006BA0000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.jiyu-kobo.co.jp/hawkgoods.exe, 00000006.00000003.261120195.0000000005457000.00000004.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://www.zhongyicts.com.cno.hawkgoods.exe, 00000006.00000003.257893151.0000000005480000.00000004.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://yQFlsb.comorigigoods20.exe, 0000000A.00000002.448946669.0000000002E51000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.fontbureau.com/designers8hawkgoods.exe, 00000006.00000002.510169583.0000000005540000.00000002.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000000B.00000003.278054941.0000000005550000.00000004.00000001.sdmpfalse
                                                                                                          		high

                                                                                                          Contacted IPs

                                                                                                          • No. of IPs < 25%
                                                                                                          • 25% < No. of IPs < 50%
                                                                                                          • 50% < No. of IPs < 75%
                                                                                                          • 75% < No. of IPs

                                                                                                          Public

                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                          131.186.161.70
                                                                                                          		unknownUnited States
                                                                                                          		33517DYNDNSUSfalse
                                                                                                          104.16.155.36
                                                                                                          		unknownUnited States
                                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                                          199.193.7.228
                                                                                                          		unknownUnited States
                                                                                                          		22612NAMECHEAP-NETUSfalse
                                                                                                          216.146.43.71
                                                                                                          		unknownUnited States
                                                                                                          		33517DYNDNSUSfalse
                                                                                                          172.67.188.154
                                                                                                          		unknownUnited States
                                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                                          Private

                                                                                                          IP
                                                                                                          192.168.2.1
                                                                                                          127.0.0.1

                                                                                                          General Information

                                                                                                          Joe Sandbox Version:31.0.0 Emerald
                                                                                                          Analysis ID:346555
                                                                                                          Start date:01.02.2021
                                                                                                          Start time:09:07:53
                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                          Overall analysis duration:0h 18m 19s
                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                          Report type:light
                                                                                                          Sample file name:Orders.exe
                                                                                                          Cookbook file name:default.jbs
                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                          Number of analysed new started processes analysed:40
                                                                                                          Number of new started drivers analysed:0
                                                                                                          Number of existing processes analysed:0
                                                                                                          Number of existing drivers analysed:0
                                                                                                          Number of injected processes analysed:0
                                                                                                          Technologies:
                                                                                                          • HCA enabled
                                                                                                          • EGA enabled
                                                                                                          • HDC enabled
                                                                                                          • AMSI enabled
                                                                                                          Analysis Mode:default
                                                                                                          Analysis stop reason:Timeout
                                                                                                          Detection:MAL
                                                                                                          Classification:mal100.troj.adwa.spyw.evad.winEXE@42/37@63/7
                                                                                                          EGA Information:Failed
                                                                                                          HDC Information:
                                                                                                          • Successful, ratio: 0.5% (good quality ratio 0.3%)
                                                                                                          • Quality average: 42.5%
                                                                                                          • Quality standard deviation: 36.7%
                                                                                                          HCA Information:
                                                                                                          • Successful, ratio: 99%
                                                                                                          • Number of executed functions: 0
                                                                                                          • Number of non-executed functions: 0
                                                                                                          Cookbook Comments:
                                                                                                          • Adjust boot time
                                                                                                          • Enable AMSI
                                                                                                          • Found application associated with file extension: .exe
                                                                                                          Warnings:
                                                                                                          Show All
                                                                                                          • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, WerFault.exe, SgrmBroker.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                          • TCP Packets have been reduced to 100
                                                                                                          • Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.193.48, 92.122.144.200, 40.88.32.150, 51.104.139.180, 92.122.213.247, 92.122.213.194, 2.20.142.209, 2.20.142.210, 168.61.161.212, 51.103.5.186, 13.88.21.125
                                                                                                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, client.wns.windows.com, fs.microsoft.com, arc.msn.com.nsatc.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus15.cloudapp.net, emea1.wns.notify.trafficmanager.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus15.cloudapp.net
                                                                                                          • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/346555/sample/Orders.exe

                                                                                                          Simulations

                                                                                                          Behavior and APIs

                                                                                                          TimeTypeDescription
                                                                                                          09:09:04API Interceptor637x Sleep call for process: origigoods20.exe modified
                                                                                                          09:09:06API Interceptor847x Sleep call for process: origigoods40.exe modified
                                                                                                          09:09:08API Interceptor6x Sleep call for process: hawkgoods.exe modified
                                                                                                          09:09:13API Interceptor1x Sleep call for process: dw20.exe modified
                                                                                                          09:09:21API Interceptor46x Sleep call for process: powershell.exe modified
                                                                                                          09:09:24API Interceptor956x Sleep call for process: Matiexgoods.exe modified
                                                                                                          09:09:28API Interceptor4x Sleep call for process: WerFault.exe modified
                                                                                                          09:09:38AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe

                                                                                                          Joe Sandbox View / Context

                                                                                                          IPs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          131.186.161.70Hydro-463459.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          CHIKWA (2).exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          payment status.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          IMG_10966.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          85H8KnUuMM.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          SecuriteInfo.com.Trojan.Packed2.42783.3265.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          SecuriteInfo.com.Trojan.Packed2.42783.17593.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          SecuriteInfo.com.Trojan.Packed2.42783.24703.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          Ewqm21Iwdh.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          a4iz7zkilq.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          Vcg9GH4CWw.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          nMn5eAMhBy.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          sSPHg0Y2cZ.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          vK6VPijMoq.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          COA for PI#Sc09283,PDF.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          Quotation for T10495.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          Revised Invoice.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          INVO_0000765346700.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          2Ul5CJzIrI.exeGet hashmaliciousBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          104.16.155.36nzGUqSK11D.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          hkaP5RPCGNDVq3Z.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          INQUIRY.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          Prueba de pago.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          jSMd8npgmU.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          9vdouqRTh3.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          fyxC4Hgs3s.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          yk94P18VKp.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          oLHQIQAI3N.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          WuGzF7ZJ7P.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/
                                                                                                          NXmokFkh3R.exeGet hashmaliciousBrowse
                                                                                                          • whatismyipaddress.com/

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          whatismyipaddress.comnzGUqSK11D.exeGet hashmaliciousBrowse
                                                                                                          • 104.16.154.36
                                                                                                          PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                                                                          • 104.16.155.36
                                                                                                          PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                                                                          • 104.16.155.36
                                                                                                          hkaP5RPCGNDVq3Z.exeGet hashmaliciousBrowse
                                                                                                          • 104.16.155.36
                                                                                                          B6LNCKjOGt5EmFQ.exeGet hashmaliciousBrowse
                                                                                                          • 104.16.154.36
                                                                                                          NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                                                                          • 104.16.155.36
                                                                                                          JkhR5oeRHA.exeGet hashmaliciousBrowse
                                                                                                          • 66.171.248.178
                                                                                                          PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                                          • 104.16.155.36
                                                                                                          BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                                                                          • 104.16.154.36
                                                                                                          INQUIRY.exeGet hashmaliciousBrowse
                                                                                                          • 104.16.154.36
                                                                                                          Prueba de pago.exeGet hashmaliciousBrowse
                                                                                                          • 104.16.155.36
                                                                                                          879mgDuqEE.jarGet hashmaliciousBrowse
                                                                                                          • 66.171.248.178
                                                                                                          remittance1111.jarGet hashmaliciousBrowse
                                                                                                          • 66.171.248.178
                                                                                                          879mgDuqEE.jarGet hashmaliciousBrowse
                                                                                                          • 66.171.248.178
                                                                                                          remittance1111.jarGet hashmaliciousBrowse
                                                                                                          • 66.171.248.178
                                                                                                          https://my-alliances.co.uk/Get hashmaliciousBrowse
                                                                                                          • 66.171.248.178
                                                                                                          c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                                                          • 104.16.154.36
                                                                                                          mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                                                                          • 104.16.155.36
                                                                                                          6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                                                          • 104.16.155.36
                                                                                                          jSMd8npgmU.exeGet hashmaliciousBrowse
                                                                                                          • 104.16.155.36
                                                                                                          freegeoip.appHydro-463459.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          Payment Document.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          CHIKWA (2).exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          gGQWGJWR4jzvzse.exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          PURCHASE ORDER..exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          my new file ify (1).exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          IMG_166390pdf.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          PAYMENT DETAILS.exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          payment status.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          customer Telex Transfer(TT).exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          Agent Statement CargoPro.exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          PURCHASE ORDER#34556558.exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          910023458.exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          Product_Catalogue,PDF.exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          IMG_10966.exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          IMG_05752003.exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          IMG_058741601.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          smtp.privateemail.comdocument.docGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          order.exeGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          SecuriteInfo.com.Trojan.Packed2.42809.8145.exeGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          DHL-ADDRESS.xlsxGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          weg6tX6TTk78XZ5.exeGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          odT0zoYLJiNUQXd.exeGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          hkaP5RPCGNDVq3Z.exeGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          B6LNCKjOGt5EmFQ.exeGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          DHL-Address.xlsxGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          shipping-document.xlsxGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          iVUeQOg6LO.exeGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          SecuriteInfo.com.Generic.mg.e92f0e2d08762687.exeGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          DHL-document.xlsxGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          wCRnCAMZ3yT8BQ2.exeGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          Mj1eX5GWJxDRnuk.exeGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          SecuriteInfo.com.Trojan.Inject4.6535.8815.exeGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          shipping document.xlsxGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          SecuriteInfo.com.Trojan.Inject4.6512.28917.exeGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          p72kooG5ak.exeGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228

                                                                                                          ASN

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          NAMECHEAP-NETUSDHL_document11022020680908911.doc.exeGet hashmaliciousBrowse
                                                                                                          • 198.54.122.60
                                                                                                          DHL Details.exeGet hashmaliciousBrowse
                                                                                                          • 198.54.126.165
                                                                                                          order.docGet hashmaliciousBrowse
                                                                                                          • 199.188.201.34
                                                                                                          aOn5CfTiwS.exeGet hashmaliciousBrowse
                                                                                                          • 198.54.117.244
                                                                                                          PO_55004.exeGet hashmaliciousBrowse
                                                                                                          • 68.65.122.156
                                                                                                          SecuriteInfo.com.Trojan.MulDrop16.10041.23448.exeGet hashmaliciousBrowse
                                                                                                          • 185.61.153.111
                                                                                                          SecuriteInfo.com.Trojan.Inject4.6821.6799.exeGet hashmaliciousBrowse
                                                                                                          • 199.188.200.150
                                                                                                          DCAjXz5y4I.exeGet hashmaliciousBrowse
                                                                                                          • 162.213.255.196
                                                                                                          NEW ORDER.xlsmGet hashmaliciousBrowse
                                                                                                          • 104.219.248.89
                                                                                                          Claim_250196008_01282021.xlsGet hashmaliciousBrowse
                                                                                                          • 162.0.226.110
                                                                                                          Claim_250196008_01282021.xlsGet hashmaliciousBrowse
                                                                                                          • 162.0.226.110
                                                                                                          lbqFKoALqe.exeGet hashmaliciousBrowse
                                                                                                          • 198.54.117.215
                                                                                                          j64eIR1IEK.exeGet hashmaliciousBrowse
                                                                                                          • 198.54.117.210
                                                                                                          document.docGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          CMA CGM Shipping Documents COAU7014424560.xlsxGet hashmaliciousBrowse
                                                                                                          • 198.54.117.215
                                                                                                          order.exeGet hashmaliciousBrowse
                                                                                                          • 199.193.7.228
                                                                                                          SecuriteInfo.com.Heur.11979.xlsGet hashmaliciousBrowse
                                                                                                          • 162.0.226.110
                                                                                                          SecuriteInfo.com.Heur.11979.xlsGet hashmaliciousBrowse
                                                                                                          • 162.0.226.110
                                                                                                          #Ud83d#Udce9.htmGet hashmaliciousBrowse
                                                                                                          • 198.54.115.249
                                                                                                          Pending Orders Statement -40064778.docGet hashmaliciousBrowse
                                                                                                          • 198.54.122.60
                                                                                                          CLOUDFLARENETUSVietcong Order February.xlsxGet hashmaliciousBrowse
                                                                                                          • 104.22.0.232
                                                                                                          Hydro-463459.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          Fature.xlsxGet hashmaliciousBrowse
                                                                                                          • 104.22.1.232
                                                                                                          Payment Document.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          CHIKWA (2).exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          Orden revisada PO-WJO-001, pdf.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.134.233
                                                                                                          gGQWGJWR4jzvzse.exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          2021BLL0201.doc__.rtfGet hashmaliciousBrowse
                                                                                                          • 172.67.219.133
                                                                                                          order.docGet hashmaliciousBrowse
                                                                                                          • 172.67.219.133
                                                                                                          InfoSender.exeGet hashmaliciousBrowse
                                                                                                          • 162.159.136.232
                                                                                                          cbUJVTVJ.exeGet hashmaliciousBrowse
                                                                                                          • 104.23.99.190
                                                                                                          SecuriteInfo.com.Trojan.Packed2.42783.20578.exeGet hashmaliciousBrowse
                                                                                                          • 104.23.98.190
                                                                                                          INWARD-OUTWARD ANALYSIS.xlsxGet hashmaliciousBrowse
                                                                                                          • 104.23.98.190
                                                                                                          e7zQwqIDCO.exeGet hashmaliciousBrowse
                                                                                                          • 104.21.15.91
                                                                                                          Doc29012010.xlsGet hashmaliciousBrowse
                                                                                                          • 162.159.135.233
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          PURCHASE ORDER..exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          my new file ify (1).exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          IMG_166390pdf.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          PAYMENT DETAILS.exeGet hashmaliciousBrowse
                                                                                                          • 104.21.19.200
                                                                                                          DYNDNSUSHydro-463459.exeGet hashmaliciousBrowse
                                                                                                          • 131.186.161.70
                                                                                                          Payment Document.exeGet hashmaliciousBrowse
                                                                                                          • 216.146.43.71
                                                                                                          CHIKWA (2).exeGet hashmaliciousBrowse
                                                                                                          • 131.186.161.70
                                                                                                          gGQWGJWR4jzvzse.exeGet hashmaliciousBrowse
                                                                                                          • 216.146.43.70
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 216.146.43.70
                                                                                                          PURCHASE ORDER..exeGet hashmaliciousBrowse
                                                                                                          • 216.146.43.70
                                                                                                          my new file ify (1).exeGet hashmaliciousBrowse
                                                                                                          • 216.146.43.70
                                                                                                          IMG_166390pdf.exeGet hashmaliciousBrowse
                                                                                                          • 131.186.113.70
                                                                                                          PAYMENT DETAILS.exeGet hashmaliciousBrowse
                                                                                                          • 216.146.43.70
                                                                                                          payment status.exeGet hashmaliciousBrowse
                                                                                                          • 131.186.161.70
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 216.146.43.70
                                                                                                          customer Telex Transfer(TT).exeGet hashmaliciousBrowse
                                                                                                          • 216.146.43.71
                                                                                                          Agent Statement CargoPro.exeGet hashmaliciousBrowse
                                                                                                          • 162.88.193.70
                                                                                                          PURCHASE ORDER#34556558.exeGet hashmaliciousBrowse
                                                                                                          • 216.146.43.71
                                                                                                          910023458.exeGet hashmaliciousBrowse
                                                                                                          • 216.146.43.71
                                                                                                          Product_Catalogue,PDF.exeGet hashmaliciousBrowse
                                                                                                          • 216.146.43.70
                                                                                                          IMG_10966.exeGet hashmaliciousBrowse
                                                                                                          • 131.186.161.70
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 216.146.43.70
                                                                                                          IMG_05752003.exeGet hashmaliciousBrowse
                                                                                                          • 216.146.43.70
                                                                                                          IMG_058741601.exeGet hashmaliciousBrowse
                                                                                                          • 216.146.43.71

                                                                                                          JA3 Fingerprints

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          54328bd36c14bd82ddaa0c04b25ed9adHydro-463459.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          Payment Document.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          CHIKWA (2).exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          gGQWGJWR4jzvzse.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          cbUJVTVJ.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          SecuriteInfo.com.Trojan.Packed2.42783.20578.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          PURCHASE ORDER..exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          my new file ify (1).exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          IMG_166390pdf.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          PAYMENT DETAILS.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          payment status.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          customer Telex Transfer(TT).exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          Agent Statement CargoPro.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          PURCHASE ORDER#34556558.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          910023458.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          Product_Catalogue,PDF.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          IMG_10966.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 172.67.188.154

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_I$s#$lT3ssl.exe_475c1b6650cb1237ccbea93f193b5c1a2bf60cf_f556f9f0_08026e6f\Report.wer
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):13900
                                                                                                          Entropy (8bit):3.773983523806153
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:u25OV0nrZHBUZMXCaKYQ/u7sKS274It+6:X5OV0n1BUZMXCaA/u7sKX4It+6
                                                                                                          MD5:FB2F2036931CB1395C726988B97D875D
                                                                                                          SHA1:603F71DACEF6685982C26933F3E6F8BED3CCE4CA
                                                                                                          SHA-256:2BBB1DCCB832D08D4162F1863ECC53F9F5DFF935C477B3092BBFDBA778882E6E
                                                                                                          SHA-512:69695CD6B357E1C8A25E042050AD9FECCC69EFFD808E87544BB5DC4F3434DC32650AC6D4B2BA563C0AF75E6871EBA14C7DDF6739014EAD24B9E572A993D660CF
                                                                                                          Malicious:false
                                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.6.7.3.0.0.8.1.4.0.1.3.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.6.7.3.0.5.8.2.3.3.6.8.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.0.3.3.2.1.0.-.1.1.c.f.-.4.d.c.c.-.8.4.8.d.-.0.b.c.b.b.6.2.c.b.d.3.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.7.7.b.a.1.a.-.e.7.3.e.-.4.0.3.1.-.b.7.e.1.-.b.7.2.3.b.e.e.2.0.b.a.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.$.s.#.$.l.T.3.s.s.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.m.D.O.r.G.S.K.g.i.V...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.4.0.-.0.0.0.1.-.0.0.1.7.-.e.0.8.2.-.d.1.0.b.b.d.f.8.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.4.5.c.e.2.d.b.6.3.d.3.6.8.1.b.5.5.3.1.3.2.2.4.8.7.c.a.5.d.f.5.0.0.0.0.0.0.0.0.!.0.0.0.0.0.4.2.2.0.8.c.7.a.2.3.2.b.8.0.6.c.6.3.8.2.e.3.4.4.1.7.f.9.c.
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Orders.exe_c173c4d7306a40d1422278d49383db0ef5e6f35_c446bb0c_083415f8\Report.wer
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):13506
                                                                                                          Entropy (8bit):3.7675454560927717
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:K4wuaqn4eZHBUZMXKaKYQ/u7s0S274ItVF:muaqn/BUZMXKaA/u7s0X4ItVF
                                                                                                          MD5:B90004AF7E82B0DF2BC9ED745227951B
                                                                                                          SHA1:6A2160DFFA308B06AEBC5D6C821D51E23FF15DA8
                                                                                                          SHA-256:5CBD7E729F68357E272E73C76ECECEBEFC7774A14C3E549140CFE9D9E401FEDC
                                                                                                          SHA-512:562CCEA7499253B5DBB2E9266F687ADFD70265A197EBFEADC08DB5D66CABD03569F6060A1908E4C3E0DE6D31412CAF4F290DB2778C3183B093CDB3FB9632E316
                                                                                                          Malicious:true
                                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.6.7.2.9.4.0.6.5.5.8.9.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.6.7.2.9.5.6.4.0.5.8.4.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.7.f.f.3.c.3.-.b.6.e.d.-.4.b.8.a.-.8.1.4.f.-.6.f.6.7.6.0.4.6.e.4.a.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.1.1.c.6.1.9.-.6.7.7.6.-.4.4.6.d.-.a.6.1.b.-.c.8.9.7.7.3.8.e.4.f.a.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.O.r.d.e.r.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.m.D.O.r.G.S.K.g.i.V...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.a.8.-.0.0.0.1.-.0.0.1.7.-.6.a.7.a.-.4.c.e.6.b.c.f.8.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.4.5.c.e.2.d.b.6.3.d.3.6.8.1.b.5.5.3.1.3.2.2.4.8.7.c.a.5.d.f.5.0.0.0.0.0.0.0.0.!.0.0.0.0.0.4.2.2.0.8.c.7.a.2.3.2.b.8.0.6.c.6.3.8.2.e.3.4.4.1.7.f.9.c.8.e.2.a.9.
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hawkgoods.exe_697020edb13ed8bc761f5d6b0de413dddfcbfb_b4666e22_09649e14\Report.wer
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):17914
                                                                                                          Entropy (8bit):3.766572763101044
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:HMQL3pHBUZMXJyBaKsn9fbeN9M2v1zzvSXk0ZKjBIcQr+s/u7s0S274Itmxep:sQL3ZBUZMXiaEdvh/sl/u7s0X4ItOU
                                                                                                          MD5:540A1076AB927D79958E459AD3D1B4DC
                                                                                                          SHA1:B534C3A5A908AB697FEB4DF17DF2843B71E12088
                                                                                                          SHA-256:C591AF951213C92380B428C2A746A8FE019B2C29E1BE7466D0AF7D32E8CB5033
                                                                                                          SHA-512:7CECC337A7ED4CF8477FFE8CC35F8DDE7343777FAC67232F77D506B78EFEC9652930F288FD708BFC87550F667C5FBA4EC492FB39EC553A08D74993A999408916
                                                                                                          Malicious:true
                                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.6.7.2.9.6.4.0.4.6.4.5.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.6.7.2.9.8.8.4.3.7.0.0.5.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.d.8.5.3.5.6.-.2.5.c.8.-.4.8.3.7.-.9.f.4.b.-.a.6.f.b.6.a.6.d.5.4.7.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.9.3.5.1.1.3.-.9.5.a.8.-.4.b.b.3.-.b.9.f.7.-.8.d.a.c.a.e.1.2.6.f.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.h.a.w.k.g.o.o.d.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.h.u.l.l.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.9.8.-.0.0.0.1.-.0.0.1.7.-.3.6.6.1.-.2.f.e.a.b.c.f.8.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.6.c.c.9.4.0.d.7.a.0.d.3.0.a.e.2.8.3.f.a.7.7.b.e.8.f.e.6.4.d.3.0.0.0.0.0.0.0.0.!.0.0.0.0.d.6.e.4.a.3.c.a.2.5.3.b.f.c.3.7.2.a.9.a.3.1.8.0.b.5.8.8.7.c.7.1.6.e.d.
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hawkgoods.exe_93f07d9c4f92cda17563b29cabdf995c588ef9_00000000_1717da56\Report.wer
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):16962
                                                                                                          Entropy (8bit):3.757340103474675
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:xAg8QpQmV4yBaKsn9fbeN9M2v1zzvSXk0ZKjBIcQry/u7sOS274Itik:YQpQSaEdvh/sy/u7sOX4Itd
                                                                                                          MD5:5BD987FF56CF22B445B08ADBE0CEB94F
                                                                                                          SHA1:392A4A18E1FBF20D71EB44502A2E308C8B7D1FC2
                                                                                                          SHA-256:45BF7A559B278FBE5A6DC08AEFF4A289EC7CB1A022092832189F023C5AEBE91A
                                                                                                          SHA-512:56F5B005A65A94FEE33F8CB706B1D762A6B1103116758C2712408808F7F9968845855ECF1A633C39B97BF9BF94C59DD3191934D88E9AD2C468163E2D06FA4710
                                                                                                          Malicious:true
                                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.6.7.2.9.4.9.3.4.3.3.6.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.6.7.2.9.5.1.2.0.2.7.3.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.a.a.a.2.c.b.9.-.f.8.d.1.-.4.e.4.d.-.b.8.a.4.-.c.6.6.1.f.0.3.8.b.d.9.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.h.u.l.l.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.9.8.-.0.0.0.1.-.0.0.1.7.-.3.6.6.1.-.2.f.e.a.b.c.f.8.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.6.c.c.9.4.0.d.7.a.0.d.3.0.a.e.2.8.3.f.a.7.7.b.e.8.f.e.6.4.d.3.0.0.0.0.0.0.0.0.!.0.0.0.0.d.6.e.4.a.3.c.a.2.5.3.b.f.c.3.7.2.a.9.a.3.1.8.0.b.5.8.8.7.c.7.1.6.e.d.2.8.5.c.6.!.h.a.w.k.g.o.o.d.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.1././.1.9.:.1.0.:.0.8.:.3.8.!.0.!.h.a.w.k.g.o.o.d.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5...
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_vbc.exe_fcdf79ff79f329d98f696167290ab3ea8a293_6c16ead4_18d4c207\Report.wer
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):7796
                                                                                                          Entropy (8bit):3.767893341675678
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:2wXKDmdHBUZMXQf9jY/u7s0S274ItE7GDB9:d6DEBUZMXojY/u7s0X4ItEOL
                                                                                                          MD5:958A2DD731FC8F6B1C9B021FE1834AF7
                                                                                                          SHA1:2DBD2A5C3C4C23B37A80BE7B98E72EA0E50C1BE6
                                                                                                          SHA-256:189108BF5EB1E837E15F6DACAEE0455BC60449B930A2E713BDB17224B996D924
                                                                                                          SHA-512:78448CFE3ECAC8ECF1A8A0DC01EBE9E92D5ACD4E64E70775B81BAF222BCA30C91256D66B56B06ACA5B09025009557DF411D076796BDC412234068790235420C6
                                                                                                          Malicious:false
                                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.6.7.2.9.6.0.2.6.5.2.0.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.6.7.2.9.7.8.5.1.5.1.5.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.4.2.c.1.7.9.-.d.3.e.b.-.4.1.a.4.-.b.4.e.4.-.2.f.5.d.6.f.2.1.4.6.b.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.a.6.0.9.e.3.-.b.d.c.3.-.4.c.4.9.-.a.7.f.a.-.4.1.f.3.9.d.7.3.8.c.9.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.b.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.b.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.3.d.0.-.0.0.0.1.-.0.0.1.7.-.e.5.2.6.-.e.f.f.5.b.c.f.8.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.7.8.7.d.9.a.6.e.c.3.f.2.6.2.e.8.b.7.1.d.1.9.a.c.1.5.7.c.2.a.2.8.6.a.0.f.5.9.d.d.!.v.b.c.
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER15F5.tmp.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4763
                                                                                                          Entropy (8bit):4.481634873006896
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:cvIwSD8zsoJgtWI9uoWSC8B08fm8M4JQ8nFLx+q8va88uwrAGd:uITfu9BSNDJZKwu+AGd
                                                                                                          MD5:CE13E8E50FA2947304ECADA1E7CAA44F
                                                                                                          SHA1:AF6C8E43C5D1CDDFF9B15159CD4EF384C6EC4DE1
                                                                                                          SHA-256:2F4CB97C8C06F97B5A6753EDA96A157E97D57B73AC55299D82C01FF0AC1C2E53
                                                                                                          SHA-512:3B97FA92819CDCCBACC13472ABB98158AB3B87F8B82C6B14642DBEC2F53B99C12518ECD9C545E77A7530817EA0EAC573E8710C01C15B589244F5ED8436FC077B
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="842541" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER29B.tmp.WERInternalMetadata.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):8410
                                                                                                          Entropy (8bit):3.697340644819152
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:Rrl7r3GLNi/r6UXYaH6YgwSU3E90gmfZ1ySVCprE89bkWsfpsm:RrlsNiz6haH6Y3SU3EugmfWSsk1fH
                                                                                                          MD5:68A4C27D158EBA0E731D66B9346B9930
                                                                                                          SHA1:8E99C9CFB4FE2ED333C24DEE4C0C07275546C1DA
                                                                                                          SHA-256:E9782B937D6B13B05784BC3393AC133A1919743EA4336A6FF3CD4B70DC2AE0FD
                                                                                                          SHA-512:596B7395AE4738DD79E2BF12464187F8F2917E108CFE7CB400C5EA3475EC50DF8146A51ED6B3995EDFE07F3EB73B403ABF603349E5916F9B74000F090EEE2BBD
                                                                                                          Malicious:false
                                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.8.4.<./.P.i.d.>.......
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AF.tmp.WERInternalMetadata.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):8290
                                                                                                          Entropy (8bit):3.7007069879870316
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:Rrl7r3GLNimLh6kG6Y5h62VXE1gmf5NSVCprM89bxUsfDbm:RrlsNi86t6YP6ngmfjSUxHfu
                                                                                                          MD5:A0F3788B0B46128A48243F16026DE590
                                                                                                          SHA1:4AC781187472FB9C7793510116D36864F621D0AA
                                                                                                          SHA-256:7926E3187542ACB5424A9F918B157AD38DC9E7414EDFFF6E1610D66E7C37DC82
                                                                                                          SHA-512:1830472EA82F5B9680657EBCD7360452D9059582F2A8685D3420DA23AE538C458C8AD1AAB4AEC8CAADA315B25E20051591E68275297CD662A5FE4303B19B2BE6
                                                                                                          Malicious:false
                                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.9.7.6.<./.P.i.d.>.........
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER3846.tmp.WERInternalMetadata.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):8314
                                                                                                          Entropy (8bit):3.699039341222745
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:Rrl7r3GLNiJV68pV1/Md6Yt96F/gmf0SVCprg89bcksfGUm:RrlsNi76B6Yn6F/gmf0SQcXfM
                                                                                                          MD5:A47D60DEFFF9EF0624D266B32753A17F
                                                                                                          SHA1:AB5132A9A2F4EF53A959890FD995DBA6F26CA8C0
                                                                                                          SHA-256:5A5379F51B1B790D50F12F9F7FD7B335D0FDB598B96AE496ACA999B82DC87A2F
                                                                                                          SHA-512:118511C2C504B45754D692B632141C66207446D40C9D972D1EA5E2E6F0749C3BEFE669DC5E1DFA21BB31A395E7DCC0F8F7556F7FB06A9C928B5018551EFA21BD
                                                                                                          Malicious:false
                                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.6.4.<./.P.i.d.>.......
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER47E7.tmp.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4658
                                                                                                          Entropy (8bit):4.484578834337649
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:cvIwSD8zs/JgtWI9uoWSC8B6s8fm8M4JUkZFdt85+q84UTM5/URyHid:uITfh9BSN4RJJBt85oTM5cRyHid
                                                                                                          MD5:B7F5BFAE86E614D0AFE6ABB63E19E8DA
                                                                                                          SHA1:4301E15856ECB9EDA2E5B12494DF9C800EE9A0DF
                                                                                                          SHA-256:DCAB0D7A124EBA863ACEE61E3E157CEF36C979DD1EF9C01E32988B05B7D97F2E
                                                                                                          SHA-512:C799E8B5B1197F95B33AD481734CB537293C1D400CDD7A45314CF232D2C2F01FE0C6F96C227541E2CC13229D316008F88ACF5FE157599E5C522A2E18EE6F45D5
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="842540" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F0.tmp.mdmp
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Mini DuMP crash report, 14 streams, Mon Feb 1 17:09:33 2021, 0x60521 type
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6814003
                                                                                                          Entropy (8bit):4.736539329301494
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:98304:qMauqrXI79HphPb1Xa8yB20XvlieTYuerhfM1NlOMcTvd3:DxqrXI79HjOXbmMcF
                                                                                                          MD5:ACEA9DA01C4C4F05AC026518FF86F7CF
                                                                                                          SHA1:5AE5FDEE932EE816E8C3A30302F05CCD402AB269
                                                                                                          SHA-256:5235ED9F5781E3B08940425FADB1096933C47E696346934B963F77034F08489F
                                                                                                          SHA-512:7113C8E700FEEBBB8D39EC2C4B73F58253E86AED7D7473352280FEFBDF438174E1D900364FC4803CB8DE3E8C459C878B9DE70822D1A9FEA92840B1B2D627548F
                                                                                                          Malicious:false
                                                                                                          Preview: MDMP....... ........5.`!..................U...........B.......3......GenuineIntelW...........T............5.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA992.tmp.dmp
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Mini DuMP crash report, 14 streams, Mon Feb 1 17:09:06 2021, 0x1205a4 type
                                                                                                          Category:dropped
                                                                                                          Size (bytes):233680
                                                                                                          Entropy (8bit):3.7246203524598553
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3072:z0Yjd+pvJvSt0O9gIOgF5VUCgUmjoojd6OU:z0ppFKz9RpDVTjLERU
                                                                                                          MD5:52498EF1D5E8F92B63ECC3C47BE0C49F
                                                                                                          SHA1:FE35A724F444748D10A797F92FF3C8A5E2FB5BF6
                                                                                                          SHA-256:41F106CC80D75A395F54CF4246E7D5896ABAB03894BF770B79131DE580F5E5B4
                                                                                                          SHA-512:3814B6B79DC0640B58E6B18C968879EC2C1151A8A85F0DD7B5054A352599FAD3457FB551FC6CE9D29792FF1F666BD1D1016258CB2B519296E0DE550CAE20E690
                                                                                                          Malicious:false
                                                                                                          Preview: MDMP....... ........5.`...................U...........B......h ......GenuineIntelW...........T............5.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAF.tmp.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4643
                                                                                                          Entropy (8bit):4.484119805416583
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:cvIwSD8zs/JgtWI9uoWSC8B08fm8M4JlkZFJ+q8VU95lMSGd:uITfh9BSNfJa9195lTGd
                                                                                                          MD5:BFFCA8228F5B11E9364EC42E7F17DD77
                                                                                                          SHA1:C2561F761EF17908E398980AD450303D1A67C630
                                                                                                          SHA-256:387C0AF23BEA505763B9580F7EBC5EF00520B29249244BA651391E95AA8A6655
                                                                                                          SHA-512:9F15619A6817CEB4AF55BDD208021CA40C30C92724E0F6E69DCB6479CA8DC9A8DF8DA810B2C3E1E4BA45002E029EAA7712E7BFD6D03AA1F5AE8F0B540FF9B9F3
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="842540" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERB12E.tmp.dmp
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Mini DuMP crash report, 14 streams, Mon Feb 1 17:10:25 2021, 0x1205a4 type
                                                                                                          Category:dropped
                                                                                                          Size (bytes):226746
                                                                                                          Entropy (8bit):3.758060180058424
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3072:GA0Bjd+pVv3S20t9gIOgF5uUCgUnsT2SqoKTy:r0GpVvLo9RpDuTjnUqI
                                                                                                          MD5:D7A5A9F582772EF13C62A888C7EDF2F9
                                                                                                          SHA1:D73F28A641F8551FC8FD565DE1B878AC3C49987E
                                                                                                          SHA-256:94F0D2BE41BCD650FDF4C379AE67F017B9358C28873C5AF16A904F479574A8A6
                                                                                                          SHA-512:202F33A49BB7918FEBBC36ABA40313107D59D75F5EF44202D7114E67A2D985734A601E1E03D23BBB667E097508D671263E8C4CC6131095B43B4AABF3D7985763
                                                                                                          Malicious:false
                                                                                                          Preview: MDMP....... ........6.`...................U...........B......8 ......GenuineIntelW...........T.......@....5.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6DF.tmp.WERInternalMetadata.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):8384
                                                                                                          Entropy (8bit):3.6912217569118457
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:Rrl7r3GLNiEb6/6YgZnSUbsgmfZ0ySVCprH89b/2sf0uMVm:RrlsNiQ6/6YknSUbsgmfzSF/Vf0uj
                                                                                                          MD5:739390DCE27DCEDF34FA5157E1309291
                                                                                                          SHA1:D3DE02641A291A357512681C254286DC90845607
                                                                                                          SHA-256:FEDF50AAEF3EB58CFC1EB06D94A39CBB65C2E361F77CFC46671E591F438ED000
                                                                                                          SHA-512:A029A0A11DC6FEA9119D67BCAD19E91C6FB6A18B1569E40103494A00F9783A627A0B307A74DE87F25BFD22731F15C82C1E3BC005FE8FFAF9B092E71158AB7D4B
                                                                                                          Malicious:false
                                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.2.4.<./.P.i.d.>.......
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBC2.tmp.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4738
                                                                                                          Entropy (8bit):4.456267471472871
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:cvIwSD8zsjJgtWI9uoWSC8Bp8fm8M4JA8nFk+q8vH82N5uwijUd:uITf99BSNYJIKT5u5jUd
                                                                                                          MD5:E6BD470C252D8E4C0C9C79B31F708E6F
                                                                                                          SHA1:6BC73308E99D47AF5CF783BAE09D2B0CD9CCF576
                                                                                                          SHA-256:E1EDEB9FD263CF77B679B96E5D15B8C05AE73940585D7B9E24244FFC4AC91BD4
                                                                                                          SHA-512:D45B23D47FCC663985D143568E626D9C8BBC6B34FB17C257BCB521D65122B9DE50BA11DD137E78DC426C0D4C0B75F8568A72E8B9EAEDF7F0140A37B14B7CA422
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="842539" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBEF.tmp.WERInternalMetadata.xml
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):7628
                                                                                                          Entropy (8bit):3.687161917724904
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:Rrl7r3GLNiJk6o3XZe6Yts6F/gmfZSnSCCp12E1fNSm:RrlsNia6/6Y26F/gmfInSr2ufJ
                                                                                                          MD5:6166ADFD7737F286C775339B065FF3F1
                                                                                                          SHA1:39645E66FE7BBE326BFFBE7F7CFB37543F7507D6
                                                                                                          SHA-256:FE2F9BCD79240F00107C21261022EBC3DFBE3E18FC67A609A6E3BF8BDDF0BFE2
                                                                                                          SHA-512:6E1795B9EC2D5904D0867993350D37DA7EA674D04472D2D33D52A7915FE96FAFD2839E4C106FC84394E3F10FB26761B557BA93BA417DF90764AB2519FDC537D6
                                                                                                          Malicious:false
                                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.6.4.<./.P.i.d.>.......
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD19.tmp.xml
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4678
                                                                                                          Entropy (8bit):4.442994253323229
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:cvIwSD8zsjJgtWI9uoWSC8BIQ/8fm8M4JFKqJFL+q8vvDM5/URyHBd:uITf99BSN3kJFKSK7M5cRyHBd
                                                                                                          MD5:113E576BC23CE85909DD33707B4D3D72
                                                                                                          SHA1:50F8E0529504C8B788BC199FE1F7D516A2ADF7A1
                                                                                                          SHA-256:F5E84846E011741FA5CF67C229B7891FA8CE4DB2E96D8F0605979887722113D4
                                                                                                          SHA-512:D0A93EF150B778F2468832C65A6E1F3634D46BA07A5E4F39D6813D85470E4CDFC4C51700B22365D28544BCFFE19C21C4FABCA36FD4124C69A33C6BD0F36EF8B0
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="842539" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF62B.tmp.dmp
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Mini DuMP crash report, 14 streams, Mon Feb 1 17:09:22 2021, 0x1205a4 type
                                                                                                          Category:dropped
                                                                                                          Size (bytes):17418
                                                                                                          Entropy (8bit):2.189553347266588
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:51P8Q/5kt7zO7Mm7u2+D90ioBiT+QIbWInWIXmI4t9FOnuu3:TwyM2YaZBiKot9Yuu3
                                                                                                          MD5:CF1313617E1BA67E74E9F9823A689161
                                                                                                          SHA1:0D800C48004D989D56FEE92682ADC89CF2BEDFB8
                                                                                                          SHA-256:1013A8A807BFA0EB7364602A98DBA64011238109D0E43E82ABDBBE464C7DFB81
                                                                                                          SHA-512:BBAE7ED7F1F859D12564EFA13B9DF596F5544D60D9CAD96F4F681DE73724944B92C186F91DC13DBC45954260C55861F8ABACAD06E975EFD5D44909C63C857E4D
                                                                                                          Malicious:false
                                                                                                          Preview: MDMP....... ........5.`...................U...........B......t.......GenuineIntelW...........T............5.`.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\hawkgoods.exe.log
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):916
                                                                                                          Entropy (8bit):5.282390836641403
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLF20NaL3z2p29hJ5g522rW2xAi3AP26K95rKoO2+g2+:MwLLD2Y9h3go2rxxAcAO6ox+g2+
                                                                                                          MD5:5AD8E7ABEADADAC4CE06FF693476581A
                                                                                                          SHA1:81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E
                                                                                                          SHA-256:BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
                                                                                                          SHA-512:7793E78E84AD36CE65B5B1C015364E340FB9110FAF199BC0234108CE9BCB1AEDACBD25C6A012AC99740E08BEA5E5C373A88E553E47016304D8AE6AEEAB58EBFF
                                                                                                          Malicious:true
                                                                                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..
                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):8003
                                                                                                          Entropy (8bit):4.839308921501875
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
                                                                                                          MD5:937C6E940577634844311E349BD4614D
                                                                                                          SHA1:379440E933201CD3E6E6BF9B0E61B7663693195F
                                                                                                          SHA-256:30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
                                                                                                          SHA-512:6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
                                                                                                          Malicious:false
                                                                                                          Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):16680
                                                                                                          Entropy (8bit):5.575624550668492
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:X7t9+XV0PidIvyosCh5dB+RnISBKnNRul4Itp7Y9g4SJQPiY4y:X/i3CfdyI4KLul4S54RP7v
                                                                                                          MD5:748E24CE0A85BA329A226E109182E5D8
                                                                                                          SHA1:A6E6DB81CD4B0FA5528F5CD03BA7D1C486DEDF87
                                                                                                          SHA-256:1DDD69A6CFCFBFCBCF4A0EE0D7B3376A051124BC755DD15F414670A3A344114D
                                                                                                          SHA-512:0B97E3A47BA46ABB3E64B7B52E84BC1647C6274B65BC51DA26153EEBB42D5950C802DD6009A7415632A6CC8D30940E849A488F834FCA1874B1BC712CF7ADC3D3
                                                                                                          Malicious:false
                                                                                                          Preview: @...e...................................F............@..........H...............<@.^.L."My...:)..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                          C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):455680
                                                                                                          Entropy (8bit):5.4156534240521
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:L09yLLuWoujzz/DCBGNv5lToO7OsWXiOV:L09yLyWoujHDX5QO7OvXik
                                                                                                          MD5:80C61B903400B534858D047DD0919F0E
                                                                                                          SHA1:D0AB5400B74392308140642C75F0897E16A88D60
                                                                                                          SHA-256:25ADE9899C000A27570B527CFFC938EC9626978219EC8A086082B113CBE4F492
                                                                                                          SHA-512:B3216F0E4E95C7F50BCCBA5FDCCA2AD622A42379383BE855546FA1E0BAC41A6BEEA8226F8634AD5E0D8596169E0443494018BBE70B7052F094402AECAA038BCE
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: Metadefender, Detection: 46%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 86%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`............................~.... ... ....@.. .......................`............@.................................$...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................`.......H............x..........x'...h.....................................................................................................................................................................RNK\ZJO@F.EYC.G.IOYKJ._R_CEESEPPlj}ez|"hzfSn`ssdh~DNwq//M\`tdv`|..;.....4......Ewqus._/.....V>..%9%(:&##b?`LLJN.56(,*:.}.2=4lwY_.............................................................................................................A.{YOLI..qAL.tTDY^..v^NY
                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03w4pbbs.uza.ps1
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:very short file (no magic)
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1
                                                                                                          Entropy (8bit):0.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:U:U
                                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                          Malicious:false
                                                                                                          Preview: 1
                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1uftfplo.nuv.psm1
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:very short file (no magic)
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1
                                                                                                          Entropy (8bit):0.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:U:U
                                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                          Malicious:false
                                                                                                          Preview: 1
                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1dlmoaq.ohr.ps1
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:very short file (no magic)
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1
                                                                                                          Entropy (8bit):0.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:U:U
                                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                          Malicious:false
                                                                                                          Preview: 1
                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oht352yv.150.psm1
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:very short file (no magic)
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1
                                                                                                          Entropy (8bit):0.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:U:U
                                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                          Malicious:false
                                                                                                          Preview: 1
                                                                                                          C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):532992
                                                                                                          Entropy (8bit):6.507156751280516
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:DufqM5JXbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9E:uJXQtqB5urTIoYWBQk1E+VF9mOx9Ei
                                                                                                          MD5:FFDB58533D5D1362E896E96FB6F02A95
                                                                                                          SHA1:D6E4A3CA253BFC372A9A3180B5887C716ED285C6
                                                                                                          SHA-256:B3D02FD5C69293DB419AC03CDF6396BD5E7765682FB3B2390454D9A52BA2CA88
                                                                                                          SHA-512:3AE6E49D3D728531201453A0BC27436B1A4305C8EF938B2CBB5E34EE45BB9A9A88CF2A41B08E4914FDA9A96BBAA48BD999A2D2F1DFFCD39761BB1F3620CA725F
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Arnim Rupp
                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: JPCERT/CC Incident Response Group
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: ReversingLabs, Detection: 96%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................4........... ........@.. ....................................@.....................................O.... ...2...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....2... ...2..................@..@.reloc.......`....... ..............@..B........................H.......0}..\..............X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......
                                                                                                          C:\Users\user\AppData\Local\Temp\origigoods20.exe
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:modified
                                                                                                          Size (bytes):220672
                                                                                                          Entropy (8bit):6.057903449485828
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3072:SVQEat7UY8MnZGcqB5AyruUJ7XAzsNvEaEifv6yr9zRsc0qC4B0BUAE3vVAVvoUB:SytJqCUyQNX36yQqbB063cAUAW
                                                                                                          MD5:61DC57C6575E1F3F2AE14C1B332AD2FB
                                                                                                          SHA1:F52F34623048E5FD720E97A72EEDFD32358CD3A9
                                                                                                          SHA-256:1C7757EE223F2480FBC478AE2ECAF82E1D3C17F2E4D47581D3972416166C54AB
                                                                                                          SHA-512:81A7DB927F53660D3A04A161D5C18AAB17D676BCC7AE0738AB786D9BEE82B91016E54E6F70428AEC4087961744BE89B1511F9E07D8DABBE5C2A9D836722395A1
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 86%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................V...........t... ........@.. ....................................@..................................t..O.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................t......H.........................................................................(....*..(....*.s.........s.........s.........s.........*...0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0............+......,........,........,.+.+...(....(....*...0..(.........+......,........,........,.+.+..(....*.0..,.......
                                                                                                          C:\Users\user\AppData\Local\Temp\origigoods40.exe
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):221696
                                                                                                          Entropy (8bit):6.060343577776758
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3072:K9Wf3ouEAkhUxOCt+qqr3drw0tR5dUimnoSA7Mw4lY2hWYQQgGJrozRscS4+SOw6:KhuI3dlxUOt7IdWLOjCDUjU
                                                                                                          MD5:AE36F0D16230B9F41FFECBD3C5B1D660
                                                                                                          SHA1:88AFC2923D1EEFB70BAD3C0CD9304949954377EF
                                                                                                          SHA-256:CFAD1E486666FF3FB042BA0E9967634DE1065F1BBD505C61B3295E55705A2A50
                                                                                                          SHA-512:1E98AEE7DC693822113DCDE1446A5BED1C564B76EEF39F39F3A5D98D7D2099CF69AC92717A3297AFC7082203929F1E9437F21CB6BC690974A0EF6D6CF6E4393C
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 83%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`.................X..........>v... ........@.. ....................................@..................................u..S.......P............................................................................ ............... ..H............text...DV... ...X.................. ..`.rsrc...P............Z..............@..@.reloc...............`..............@..B................ v......H...........H.............................................................(....*..(....*.s.........s.........s.........s.........*...0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0............+......,........,........,.+.+...(....(....*...0..(.........+......,........,........,.+.+..(....*.0..,.......
                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1630720
                                                                                                          Entropy (8bit):7.950446972015694
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:49152:JWHSbycxNZlBaewSfpEH9G6mCK4IjLJa:YsxjlB1Bk9GVNL
                                                                                                          MD5:E85DAF3A43F107B213310A53BFD35AA9
                                                                                                          SHA1:042208C7A232B806C6382E34417F9C8E2A955747
                                                                                                          SHA-256:0B1FBC81D9D9E685307E80D20AFE4B01C6538B903B77136B0D1DB2486FE8C6E8
                                                                                                          SHA-512:29688E0FE124802B3317355E9836864147E56F6E1D47F702F88EA36DF813F0EB388818EAD042C4463619E17BD5EC295D4CFC4F0CAA2C2DBD90EDD22B2277EC7D
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: ReversingLabs, Detection: 22%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q.................0.................. ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........................#..............................................".(.....*.(.........~....~....o....o...........*&.(......*".......*6.~....(&...&*.(*........*....0...........(.....(.....s.....r...p(.....r...p(.....(....(.....r...p(.....(.....rX..p(.....(....(..........r...p(....-T..r...p(....-h..r...p(....-|..r...p(....:......r...p(....:......r...p(....:....8....r...p...o.........(....(.....8....r...p...o.........(....(.....8....r...p...o.........(....(.....+jr...p...o
                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe:Zone.Identifier
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):26
                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                          Malicious:true
                                                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                                                          C:\Users\user\AppData\Roaming\pid.txt
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4
                                                                                                          Entropy (8bit):2.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:mTR:md
                                                                                                          MD5:76D7C0780CEB8FBF964C102EBC16D75F
                                                                                                          SHA1:294584E3F792CFE0D08E752B26164BC8173E7A95
                                                                                                          SHA-256:1F6909D0BA546F3291D3A8FFA1107868D370ADE6C3DF0393C4B944E3437291F0
                                                                                                          SHA-512:A916C528B82B2265AAAE77343BD2A18B7338D30EE75DEDFBF7654D0A28DFE8975D6C8C66B552D8CC1E157A7FC85C7EA2CF7E5F74488FEECE4D1917A0BF359A19
                                                                                                          Malicious:false
                                                                                                          Preview: 7064
                                                                                                          C:\Users\user\AppData\Roaming\pidloc.txt
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):50
                                                                                                          Entropy (8bit):4.6483674395583785
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:oNerbJSRE2J5xAI4F:oNe0i23f8
                                                                                                          MD5:0CE4A330E42C174E8E8CF4D81C6F46A6
                                                                                                          SHA1:D9CA3AD5CD90643DF99808D5FF0EC0E89E891FE0
                                                                                                          SHA-256:94ABDE13F36EBE4B4AC81A712597439918788FD90339594FA1DDD679E7DAD70A
                                                                                                          SHA-512:CE3453726B73A7423C69D94E4784966A6AA08381ABE9585AA323D0D80FAF63B3A31508B7083C3FEC6AB2727112573733D498F4F78389D75F64DDF6BABE581943
                                                                                                          Malicious:false
                                                                                                          Preview: C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe
                                                                                                          C:\Users\user\Documents\20210201\PowerShell_transcript.320946.GXJdt0T3.20210201090850.txt
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1199
                                                                                                          Entropy (8bit):5.200081162523958
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:BxSAjUdZOvBdaOx2DOXCgluVM5wWzHjeTKKjX4CIym1ZJXbxvuVM5OnxSAZp:BZjbv6OoONuojzqDYB1Z1xvuogZZp
                                                                                                          MD5:057FA50F48D04A36E4EAEFA244B5C169
                                                                                                          SHA1:651D8F086A314A920C22758C6792D43FE782A608
                                                                                                          SHA-256:DCF9967EF8BF7A51D965E20177FA747A2A72BF79F89D74CC5DFCBA27392E3BF5
                                                                                                          SHA-512:C2C2FA3A3EE34E0DEBD0B05F9BF6F7E0A389A131AE0B86350F6F8BB4A14CA3CADA09D5D2D2DDA1B427905293F29F65A7C5CC0821792A949786303B5DFBDFAD8F
                                                                                                          Malicious:false
                                                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20210201090908..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 320946 (Microsoft Windows NT 10.0.17134.0)..Host Application: Powershell.exe -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Orders.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'..Process ID: 6896..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210201090909..**********************..PS>Copy-Item 'C:\Users\user\Desktop\Orders.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'..**************
                                                                                                          C:\Users\user\Documents\20210201\PowerShell_transcript.320946.zsUBLVk9.20210201090956.txt
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4005
                                                                                                          Entropy (8bit):5.381394861441764
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:BZW96ONWwrqDo1ZQwMZGc6ONWwrqDo1ZKnSdC3UC3UW3/Zj:ind
                                                                                                          MD5:F1255BA2BED2F944999756485BA4F2F1
                                                                                                          SHA1:21E4737A720482546901EAC1ED6E2071FBCB0E7F
                                                                                                          SHA-256:3128CD097294A8CB5E444912AF6F140BDFBE166FEE2B831150D3087C6DB21C17
                                                                                                          SHA-512:4948FE537A92C89D249A2DE7EA81A365B16CFBBF2084F79E1C488B805CA91CE4989F01C8FE6C20A2712C7CD0FB5A1F9CCC9DDBF1A299DD72962005D8857DB5E4
                                                                                                          Malicious:false
                                                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20210201091111..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 320946 (Microsoft Windows NT 10.0.17134.0)..Host Application: Powershell.exe -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'..Process ID: 5296..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210201091111..**********************..PS>Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.e
                                                                                                          C:\Users\user\Documents\Matiex Keylogger\Screenshot.png
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                          File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                          Category:dropped
                                                                                                          Size (bytes):5794451
                                                                                                          Entropy (8bit):7.945637278937759
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:98304:dsGJgJ2Lg8sGJgJ2LgmsGJgJ2LgmsGJgJ2LgmsGJgJ2LgNpsGJgJ2LgqsGJgJ2LP:SSbgvSbgRSbgRSbgRSbgUSbgdSbgG
                                                                                                          MD5:F32EDC7587C52E7FB3CEEB67CC681A9B
                                                                                                          SHA1:5D809E1186725C794F051318D07C8F9D08E71DD7
                                                                                                          SHA-256:F96B2D3A1BE40A6F7D99D7E91773FF4CD8FF072FF773BA40326B055ACEED8D34
                                                                                                          SHA-512:538592A3BFD5EB39CF0447EFF465064B4E2AF3A6ADDE43A37A081458816EBA680B5314AA40B871B62DC341FEB26FD0730379A9243BA3C8392779A7DB8F45CD92
                                                                                                          Malicious:false
                                                                                                          Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....uEy...s...Q..f.%.1.Q..X.11.....*H.bo.., JS.....A.-&...v..Q.......?..u.........g....>..{z.{.g..++[....n....l{...v.X...l.'............+;..t...kv..vv._.N.M..$].c......F.4...&l..E..l.........:... ..u..r[.?E...mc[).....-.P..V...G=.n]....~.v.+[K]...@...Ge.........N.....w.....sD.|.9a.~6<..L.>......m..c!C#?..6........b.t.`.%...Y.f....ol.....c?.7.F.${...n.m.....&6.n.........P.]...}....OX.5.n.h.....4.X..`i.....R.-.].T.... c..&...H.y.q]...........Q.6.....P..B.^.5......z.c........_.....;.3..d.l.....;$...6..6.}..*|..l.^t.?f..2....C....6,j+3.>...-4m.k{..e...a..p...4L|O.d'..:.!.-..n ..@ ...]...g:c.....Rr0..4.........?*3H[.@.../..K.p..m....S........`.K.p.P.....Gbj..m......R.La._.K.p4..B.^.5......z.c........_.........d.,..8.....v.6.........v.....aQ[...a..m.i{X..,,.........E...M"...E.I6...7.z...,...#h,0 l.H0.l...../.....C.?....`$+.*&}..&6.D...6...Z..'.:v....2.`.-

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Entropy (8bit):7.950446972015694
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                          File name:Orders.exe
                                                                                                          File size:1630720
                                                                                                          MD5:e85daf3a43f107b213310a53bfd35aa9
                                                                                                          SHA1:042208c7a232b806c6382e34417f9c8e2a955747
                                                                                                          SHA256:0b1fbc81d9d9e685307e80d20afe4b01c6538b903b77136b0d1db2486fe8c6e8
                                                                                                          SHA512:29688e0fe124802b3317355e9836864147e56f6e1d47f702f88ea36df813f0eb388818ead042c4463619e17bd5ec295d4cfc4f0caa2c2dbd90edd22b2277ec7d
                                                                                                          SSDEEP:49152:JWHSbycxNZlBaewSfpEH9G6mCK4IjLJa:YsxjlB1Bk9GVNL
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q.................0.................. ........@.. .......................@............@................................

                                                                                                          File Icon

                                                                                                          Icon Hash:00828e8e8686b000

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x58f6ce
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                          Time Stamp:0xC3C29871 [Sat Jan 27 20:22:09 2074 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:v4.0.30319
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          jmp dword ptr [00402000h]
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x18f6800x4b.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1900000x5be.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1920000xc.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x20000x18d6d40x18d800False0.791853994693data7.95293663991IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0x1900000x5be0x600False0.434895833333data4.22642040324IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x1920000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                          RT_VERSION0x1900a00x334data
                                                                                                          RT_MANIFEST0x1903d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          mscoree.dll_CorExeMain

                                                                                                          Version Infos

                                                                                                          DescriptionData
                                                                                                          Translation0x0000 0x04b0
                                                                                                          LegalCopyrightoiESlUDzGd
                                                                                                          Assembly Version25.22.3.14
                                                                                                          InternalNamemDOrGSKgiV.exe
                                                                                                          FileVersion25.22.3.14
                                                                                                          CompanyNameumTKsPVLUs
                                                                                                          CommentswnrUpdIANR
                                                                                                          ProductNameHPJqPQeMSZ
                                                                                                          ProductVersion25.22.3.14
                                                                                                          FileDescriptionmDOrGSKgiV
                                                                                                          OriginalFilenamemDOrGSKgiV.exe

                                                                                                          Network Behavior

                                                                                                          Snort IDS Alerts

                                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                          02/01/21-09:09:08.110976TCP1201ATTACK-RESPONSES 403 Forbidden8049724104.16.155.36192.168.2.7

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Feb 1, 2021 09:09:07.569933891 CET4972380192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:07.644108057 CET8049723216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:07.644426107 CET4972380192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:07.645061016 CET4972380192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:07.720326900 CET8049723216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:07.720357895 CET8049723216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:07.720364094 CET8049723216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:07.720462084 CET4972380192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:07.725764990 CET4972380192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:07.799046040 CET8049723216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:08.020463943 CET4972480192.168.2.7104.16.155.36
                                                                                                          Feb 1, 2021 09:09:08.026357889 CET4972580192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:08.060730934 CET8049724104.16.155.36192.168.2.7
                                                                                                          Feb 1, 2021 09:09:08.060949087 CET4972480192.168.2.7104.16.155.36
                                                                                                          Feb 1, 2021 09:09:08.062127113 CET4972480192.168.2.7104.16.155.36
                                                                                                          Feb 1, 2021 09:09:08.099446058 CET8049725216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:08.099633932 CET4972580192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:08.100845098 CET4972580192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:08.102327108 CET8049724104.16.155.36192.168.2.7
                                                                                                          Feb 1, 2021 09:09:08.110975981 CET8049724104.16.155.36192.168.2.7
                                                                                                          Feb 1, 2021 09:09:08.176035881 CET8049725216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:08.176124096 CET8049725216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:08.176136017 CET8049725216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:08.176549911 CET4972580192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:08.176592112 CET4972580192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:08.249598980 CET8049725216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:08.272891045 CET4972480192.168.2.7104.16.155.36
                                                                                                          Feb 1, 2021 09:09:12.654989958 CET49727443192.168.2.7172.67.188.154
                                                                                                          Feb 1, 2021 09:09:12.701138973 CET44349727172.67.188.154192.168.2.7
                                                                                                          Feb 1, 2021 09:09:12.701245070 CET49727443192.168.2.7172.67.188.154
                                                                                                          Feb 1, 2021 09:09:12.798677921 CET49727443192.168.2.7172.67.188.154
                                                                                                          Feb 1, 2021 09:09:12.844975948 CET44349727172.67.188.154192.168.2.7
                                                                                                          Feb 1, 2021 09:09:12.846554995 CET44349727172.67.188.154192.168.2.7
                                                                                                          Feb 1, 2021 09:09:12.846597910 CET44349727172.67.188.154192.168.2.7
                                                                                                          Feb 1, 2021 09:09:12.846705914 CET49727443192.168.2.7172.67.188.154
                                                                                                          Feb 1, 2021 09:09:12.855519056 CET49727443192.168.2.7172.67.188.154
                                                                                                          Feb 1, 2021 09:09:12.901724100 CET44349727172.67.188.154192.168.2.7
                                                                                                          Feb 1, 2021 09:09:12.901892900 CET44349727172.67.188.154192.168.2.7
                                                                                                          Feb 1, 2021 09:09:13.038564920 CET49727443192.168.2.7172.67.188.154
                                                                                                          Feb 1, 2021 09:09:13.084671021 CET44349727172.67.188.154192.168.2.7
                                                                                                          Feb 1, 2021 09:09:13.290333033 CET44349727172.67.188.154192.168.2.7
                                                                                                          Feb 1, 2021 09:09:13.414352894 CET49727443192.168.2.7172.67.188.154
                                                                                                          Feb 1, 2021 09:09:13.507807016 CET4972880192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:13.580697060 CET8049728216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:13.581615925 CET4972880192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:13.581939936 CET4972880192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:13.654639959 CET8049728216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:13.654850006 CET8049728216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:13.654874086 CET8049728216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:13.655082941 CET4972880192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:13.655669928 CET4972880192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:13.656709909 CET49727443192.168.2.7172.67.188.154
                                                                                                          Feb 1, 2021 09:09:13.702876091 CET44349727172.67.188.154192.168.2.7
                                                                                                          Feb 1, 2021 09:09:13.719511032 CET44349727172.67.188.154192.168.2.7
                                                                                                          Feb 1, 2021 09:09:13.728564024 CET8049728216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:13.857872963 CET4973180192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:13.914356947 CET49727443192.168.2.7172.67.188.154
                                                                                                          Feb 1, 2021 09:09:13.930615902 CET8049731216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:13.930720091 CET4973180192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:13.931035995 CET4973180192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:14.003655910 CET8049731216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:14.003762960 CET8049731216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:14.003801107 CET8049731216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:14.003897905 CET4973180192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:14.004287004 CET4973180192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:14.004724026 CET49727443192.168.2.7172.67.188.154
                                                                                                          Feb 1, 2021 09:09:14.069881916 CET44349727172.67.188.154192.168.2.7
                                                                                                          Feb 1, 2021 09:09:14.077008009 CET8049731216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:14.211262941 CET49727443192.168.2.7172.67.188.154
                                                                                                          Feb 1, 2021 09:09:14.233859062 CET4973280192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:14.306735992 CET8049732216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:14.306864023 CET4973280192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:14.307152987 CET4973280192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:14.379934072 CET8049732216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:14.379973888 CET8049732216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:14.379997015 CET8049732216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:14.380080938 CET4973280192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:14.380409002 CET4973280192.168.2.7216.146.43.71
                                                                                                          Feb 1, 2021 09:09:14.453466892 CET8049732216.146.43.71192.168.2.7
                                                                                                          Feb 1, 2021 09:09:25.683118105 CET49738587192.168.2.7199.193.7.228
                                                                                                          Feb 1, 2021 09:09:25.683119059 CET49737587192.168.2.7199.193.7.228
                                                                                                          Feb 1, 2021 09:09:25.874058008 CET58749738199.193.7.228192.168.2.7
                                                                                                          Feb 1, 2021 09:09:25.874234915 CET58749737199.193.7.228192.168.2.7
                                                                                                          Feb 1, 2021 09:09:25.874285936 CET49738587192.168.2.7199.193.7.228
                                                                                                          Feb 1, 2021 09:09:25.874669075 CET49737587192.168.2.7199.193.7.228
                                                                                                          Feb 1, 2021 09:09:25.884875059 CET49738587192.168.2.7199.193.7.228
                                                                                                          Feb 1, 2021 09:09:25.885530949 CET49737587192.168.2.7199.193.7.228
                                                                                                          Feb 1, 2021 09:09:26.070074081 CET58749738199.193.7.228192.168.2.7
                                                                                                          Feb 1, 2021 09:09:26.070111990 CET58749737199.193.7.228192.168.2.7
                                                                                                          Feb 1, 2021 09:09:26.070348978 CET49738587192.168.2.7199.193.7.228
                                                                                                          Feb 1, 2021 09:09:26.070352077 CET49737587192.168.2.7199.193.7.228
                                                                                                          Feb 1, 2021 09:09:26.075392008 CET58749738199.193.7.228192.168.2.7
                                                                                                          Feb 1, 2021 09:09:26.075428009 CET58749737199.193.7.228192.168.2.7
                                                                                                          Feb 1, 2021 09:09:26.075548887 CET49738587192.168.2.7199.193.7.228
                                                                                                          Feb 1, 2021 09:09:26.075551033 CET49737587192.168.2.7199.193.7.228
                                                                                                          Feb 1, 2021 09:09:26.076323986 CET58749738199.193.7.228192.168.2.7
                                                                                                          Feb 1, 2021 09:09:26.076637983 CET58749737199.193.7.228192.168.2.7
                                                                                                          Feb 1, 2021 09:09:26.076716900 CET49737587192.168.2.7199.193.7.228
                                                                                                          Feb 1, 2021 09:09:26.076719046 CET49738587192.168.2.7199.193.7.228
                                                                                                          Feb 1, 2021 09:09:26.156609058 CET49739587192.168.2.7199.193.7.228

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Feb 1, 2021 09:08:41.097795963 CET6033853192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:08:41.150357008 CET53603388.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:08:42.317720890 CET5871753192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:08:42.367254019 CET53587178.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:08:43.720391989 CET5976253192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:08:43.768136024 CET53597628.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:08:45.281250000 CET5432953192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:08:45.331974030 CET53543298.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:08:46.854796886 CET5805253192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:08:46.905754089 CET53580528.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:08:52.060491085 CET5400853192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:08:52.111505032 CET53540088.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:08:56.677571058 CET5945153192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:08:56.726212025 CET53594518.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:08:58.374330997 CET5291453192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:08:58.424185991 CET53529148.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:08:59.758740902 CET6456953192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:08:59.806689024 CET53645698.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:02.278642893 CET5281653192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:02.336200953 CET53528168.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:04.062025070 CET5078153192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:04.111485958 CET53507818.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:06.938735008 CET5423053192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:06.986632109 CET53542308.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:07.419259071 CET5491153192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:07.461031914 CET4995853192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:07.470134020 CET53549118.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:07.495611906 CET5086053192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:07.517234087 CET53499588.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:07.545397997 CET53508608.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:07.909754038 CET5045253192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:07.966373920 CET53504528.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:12.501633883 CET5973053192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:12.552354097 CET53597308.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:12.591841936 CET5931053192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:12.651006937 CET53593108.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:13.654509068 CET5191953192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:13.705180883 CET53519198.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:18.257209063 CET6429653192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:18.308031082 CET53642968.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:22.215455055 CET5668053192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:22.263302088 CET53566808.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:23.039397955 CET5882053192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:23.087352037 CET53588208.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:24.392739058 CET6098353192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:24.443696976 CET53609838.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:25.589675903 CET4924753192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:25.645951033 CET53492478.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:26.139452934 CET5228653192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:26.187345982 CET53522868.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:26.574780941 CET5606453192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:26.635169983 CET53560648.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:27.342576981 CET6374453192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:27.401709080 CET53637448.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:28.843076944 CET6145753192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:28.904061079 CET53614578.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:29.857877970 CET5836753192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:29.863385916 CET6059953192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:29.916075945 CET53583678.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:29.919811964 CET53605998.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:30.017498970 CET5957153192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:30.074986935 CET53595718.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:30.388869047 CET5268953192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:30.437252998 CET53526898.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:31.158162117 CET5029053192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:31.214703083 CET53502908.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:31.359520912 CET6042753192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:31.407432079 CET53604278.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:32.297624111 CET5620953192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:32.345649958 CET53562098.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:32.426681042 CET5958253192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:32.482837915 CET53595828.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:33.199965000 CET6094953192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:33.247741938 CET53609498.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:33.781709909 CET5854253192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:33.838100910 CET53585428.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:35.222217083 CET5917953192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:35.281311989 CET53591798.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:36.815151930 CET6092753192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:36.871431112 CET53609278.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:38.522720098 CET5785453192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:38.570617914 CET53578548.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:41.057251930 CET6202653192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:41.113337040 CET53620268.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:41.629266024 CET5945353192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:41.677333117 CET53594538.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:43.564464092 CET6246853192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:43.623867989 CET53624688.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:45.562107086 CET5256353192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:45.620537996 CET53525638.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:46.048377037 CET5472153192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:46.096478939 CET53547218.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:48.584228039 CET6282653192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:48.635014057 CET53628268.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:49.392095089 CET6204653192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:49.451251984 CET53620468.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:50.287889957 CET5122353192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:50.335728884 CET53512238.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:51.225687981 CET6390853192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:51.273561954 CET53639088.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:52.402592897 CET4922653192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:52.461024046 CET53492268.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:54.105652094 CET6021253192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:54.153479099 CET53602128.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:55.116416931 CET5886753192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:55.164320946 CET53588678.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:56.979058981 CET5086453192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:57.040349960 CET53508648.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:09:59.813623905 CET6150453192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:09:59.872525930 CET53615048.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:01.311166048 CET6023153192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:01.359045029 CET53602318.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:03.338654041 CET5009553192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:03.396924019 CET53500958.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:06.660375118 CET5965453192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:06.716758013 CET53596548.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:09.055143118 CET5823353192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:09.113691092 CET53582338.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:09.680104017 CET5682253192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:09.730823040 CET53568228.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:12.047480106 CET6257253192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:12.105694056 CET53625728.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:15.124363899 CET5717953192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:15.183051109 CET53571798.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:20.697560072 CET5612453192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:20.745560884 CET53561248.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:28.323434114 CET6228753192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:28.379592896 CET53622878.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:31.301953077 CET5464453192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:31.358277082 CET53546448.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:34.665638924 CET5915953192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:34.722135067 CET53591598.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:38.560153961 CET5792453192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:38.619128942 CET53579248.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:44.314034939 CET5171253192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:44.362051964 CET53517128.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:46.398916960 CET5886553192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:46.446763039 CET53588658.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:46.617623091 CET6433753192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:46.668349981 CET53643378.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:47.651475906 CET5040753192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:47.707662106 CET53504078.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:50.737806082 CET6107553192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:50.785842896 CET53610758.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:54.680552006 CET5495253192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:54.738976002 CET53549528.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:10:58.185655117 CET5918653192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:10:58.234071016 CET53591868.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:01.608866930 CET5228053192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:01.659627914 CET53522808.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:06.509452105 CET5179453192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:06.566015005 CET53517948.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:07.648718119 CET5081553192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:07.699517012 CET53508158.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:09.420171976 CET5849853192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:09.469949961 CET53584988.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:13.456777096 CET5686253192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:13.504885912 CET53568628.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:16.514466047 CET6180753192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:16.571065903 CET53618078.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:25.380804062 CET5200953192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:25.440049887 CET53520098.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:28.326708078 CET5864853192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:28.383287907 CET53586488.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:31.996967077 CET5933753192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:32.046541929 CET53593378.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:36.089000940 CET5926953192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:36.145209074 CET53592698.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:42.866492033 CET4980253192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:42.914623976 CET53498028.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:45.625840902 CET5070653192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:45.673918009 CET53507068.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:48.393935919 CET5515353192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:48.450041056 CET53551538.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:52.302521944 CET5974453192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:52.358680964 CET53597448.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:54.186583996 CET5998753192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:54.234499931 CET53599878.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:11:58.350061893 CET6127253192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:11:58.406557083 CET53612728.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:12:20.722248077 CET5435253192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:12:20.772998095 CET53543528.8.8.8192.168.2.7
                                                                                                          Feb 1, 2021 09:12:27.572242022 CET6069653192.168.2.78.8.8.8
                                                                                                          Feb 1, 2021 09:12:27.620141029 CET53606968.8.8.8192.168.2.7

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                          Feb 1, 2021 09:09:07.419259071 CET192.168.2.78.8.8.80x2a09Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.461031914 CET192.168.2.78.8.8.80x6479Standard query (0)178.229.4.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.495611906 CET192.168.2.78.8.8.80xcee6Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.909754038 CET192.168.2.78.8.8.80x1312Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:12.591841936 CET192.168.2.78.8.8.80x3f9aStandard query (0)freegeoip.appA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:25.589675903 CET192.168.2.78.8.8.80xe914Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:27.342576981 CET192.168.2.78.8.8.80x99bbStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:28.843076944 CET192.168.2.78.8.8.80x8017Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:29.863385916 CET192.168.2.78.8.8.80x57acStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:31.158162117 CET192.168.2.78.8.8.80x5741Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:32.426681042 CET192.168.2.78.8.8.80xbf50Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:33.781709909 CET192.168.2.78.8.8.80x2ee3Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:35.222217083 CET192.168.2.78.8.8.80x82cbStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:36.815151930 CET192.168.2.78.8.8.80xab5bStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:38.522720098 CET192.168.2.78.8.8.80x8e76Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:41.057251930 CET192.168.2.78.8.8.80x6841Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:43.564464092 CET192.168.2.78.8.8.80x8d5bStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:45.562107086 CET192.168.2.78.8.8.80x4620Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:46.048377037 CET192.168.2.78.8.8.80x5badStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:48.584228039 CET192.168.2.78.8.8.80x4888Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:49.392095089 CET192.168.2.78.8.8.80x6453Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:51.225687981 CET192.168.2.78.8.8.80x5216Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:52.402592897 CET192.168.2.78.8.8.80x706bStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:54.105652094 CET192.168.2.78.8.8.80xea57Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:55.116416931 CET192.168.2.78.8.8.80xd093Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:56.979058981 CET192.168.2.78.8.8.80x40abStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:59.813623905 CET192.168.2.78.8.8.80xd45aStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:01.311166048 CET192.168.2.78.8.8.80xd490Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:03.338654041 CET192.168.2.78.8.8.80x6555Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:06.660375118 CET192.168.2.78.8.8.80x2ec7Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:09.055143118 CET192.168.2.78.8.8.80xd3a7Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:09.680104017 CET192.168.2.78.8.8.80x2393Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:12.047480106 CET192.168.2.78.8.8.80xa1bdStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:15.124363899 CET192.168.2.78.8.8.80x9c5eStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:20.697560072 CET192.168.2.78.8.8.80xa29eStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:28.323434114 CET192.168.2.78.8.8.80x83f8Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:31.301953077 CET192.168.2.78.8.8.80x6fdfStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:34.665638924 CET192.168.2.78.8.8.80xb5c1Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:38.560153961 CET192.168.2.78.8.8.80x13beStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:44.314034939 CET192.168.2.78.8.8.80x358cStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:46.398916960 CET192.168.2.78.8.8.80x10eaStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:46.617623091 CET192.168.2.78.8.8.80xd7e0Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:47.651475906 CET192.168.2.78.8.8.80xae10Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:50.737806082 CET192.168.2.78.8.8.80xa11cStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:54.680552006 CET192.168.2.78.8.8.80x505Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:58.185655117 CET192.168.2.78.8.8.80xfa1Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:06.509452105 CET192.168.2.78.8.8.80x95f6Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:07.648718119 CET192.168.2.78.8.8.80xc742Standard query (0)freegeoip.appA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:09.420171976 CET192.168.2.78.8.8.80x23b3Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:13.456777096 CET192.168.2.78.8.8.80x111dStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:16.514466047 CET192.168.2.78.8.8.80x9783Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:25.380804062 CET192.168.2.78.8.8.80x385cStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:28.326708078 CET192.168.2.78.8.8.80x7d35Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:31.996967077 CET192.168.2.78.8.8.80x7d75Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:36.089000940 CET192.168.2.78.8.8.80xd9edStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:42.866492033 CET192.168.2.78.8.8.80xca66Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:45.625840902 CET192.168.2.78.8.8.80x5193Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:48.393935919 CET192.168.2.78.8.8.80xab93Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:52.302521944 CET192.168.2.78.8.8.80xde52Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:54.186583996 CET192.168.2.78.8.8.80xc204Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:58.350061893 CET192.168.2.78.8.8.80x5f3aStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:12:20.722248077 CET192.168.2.78.8.8.80x5c6cStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:12:27.572242022 CET192.168.2.78.8.8.80xf851Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                          Feb 1, 2021 09:09:07.470134020 CET8.8.8.8192.168.2.70x2a09No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.470134020 CET8.8.8.8192.168.2.70x2a09No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.470134020 CET8.8.8.8192.168.2.70x2a09No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.470134020 CET8.8.8.8192.168.2.70x2a09No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.470134020 CET8.8.8.8192.168.2.70x2a09No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.470134020 CET8.8.8.8192.168.2.70x2a09No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.517234087 CET8.8.8.8192.168.2.70x6479Name error (3)178.229.4.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.545397997 CET8.8.8.8192.168.2.70xcee6No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.545397997 CET8.8.8.8192.168.2.70xcee6No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.545397997 CET8.8.8.8192.168.2.70xcee6No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.545397997 CET8.8.8.8192.168.2.70xcee6No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.545397997 CET8.8.8.8192.168.2.70xcee6No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.545397997 CET8.8.8.8192.168.2.70xcee6No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.966373920 CET8.8.8.8192.168.2.70x1312No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:07.966373920 CET8.8.8.8192.168.2.70x1312No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:12.651006937 CET8.8.8.8192.168.2.70x3f9aNo error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:12.651006937 CET8.8.8.8192.168.2.70x3f9aNo error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:25.645951033 CET8.8.8.8192.168.2.70xe914No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:27.401709080 CET8.8.8.8192.168.2.70x99bbNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:28.904061079 CET8.8.8.8192.168.2.70x8017No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:29.919811964 CET8.8.8.8192.168.2.70x57acNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:31.214703083 CET8.8.8.8192.168.2.70x5741No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:32.482837915 CET8.8.8.8192.168.2.70xbf50No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:33.838100910 CET8.8.8.8192.168.2.70x2ee3No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:35.281311989 CET8.8.8.8192.168.2.70x82cbNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:36.871431112 CET8.8.8.8192.168.2.70xab5bNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:38.570617914 CET8.8.8.8192.168.2.70x8e76No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:41.113337040 CET8.8.8.8192.168.2.70x6841No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:43.623867989 CET8.8.8.8192.168.2.70x8d5bNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:45.620537996 CET8.8.8.8192.168.2.70x4620No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:46.096478939 CET8.8.8.8192.168.2.70x5badNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:48.635014057 CET8.8.8.8192.168.2.70x4888No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:49.451251984 CET8.8.8.8192.168.2.70x6453No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:51.273561954 CET8.8.8.8192.168.2.70x5216No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:52.461024046 CET8.8.8.8192.168.2.70x706bNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:54.153479099 CET8.8.8.8192.168.2.70xea57No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:55.164320946 CET8.8.8.8192.168.2.70xd093No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:57.040349960 CET8.8.8.8192.168.2.70x40abNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:09:59.872525930 CET8.8.8.8192.168.2.70xd45aNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:01.359045029 CET8.8.8.8192.168.2.70xd490No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:03.396924019 CET8.8.8.8192.168.2.70x6555No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:06.716758013 CET8.8.8.8192.168.2.70x2ec7No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:09.113691092 CET8.8.8.8192.168.2.70xd3a7No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:09.730823040 CET8.8.8.8192.168.2.70x2393No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:12.105694056 CET8.8.8.8192.168.2.70xa1bdNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:15.183051109 CET8.8.8.8192.168.2.70x9c5eNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:20.745560884 CET8.8.8.8192.168.2.70xa29eNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:28.379592896 CET8.8.8.8192.168.2.70x83f8No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:31.358277082 CET8.8.8.8192.168.2.70x6fdfNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:34.722135067 CET8.8.8.8192.168.2.70xb5c1No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:38.619128942 CET8.8.8.8192.168.2.70x13beNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:44.362051964 CET8.8.8.8192.168.2.70x358cNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:46.446763039 CET8.8.8.8192.168.2.70x10eaNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:46.446763039 CET8.8.8.8192.168.2.70x10eaNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:46.446763039 CET8.8.8.8192.168.2.70x10eaNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:46.446763039 CET8.8.8.8192.168.2.70x10eaNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:46.446763039 CET8.8.8.8192.168.2.70x10eaNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:46.446763039 CET8.8.8.8192.168.2.70x10eaNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:46.668349981 CET8.8.8.8192.168.2.70xd7e0No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:46.668349981 CET8.8.8.8192.168.2.70xd7e0No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:46.668349981 CET8.8.8.8192.168.2.70xd7e0No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:46.668349981 CET8.8.8.8192.168.2.70xd7e0No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:46.668349981 CET8.8.8.8192.168.2.70xd7e0No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:46.668349981 CET8.8.8.8192.168.2.70xd7e0No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:47.707662106 CET8.8.8.8192.168.2.70xae10No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:50.785842896 CET8.8.8.8192.168.2.70xa11cNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:54.738976002 CET8.8.8.8192.168.2.70x505No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:10:58.234071016 CET8.8.8.8192.168.2.70xfa1No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:06.566015005 CET8.8.8.8192.168.2.70x95f6No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:07.699517012 CET8.8.8.8192.168.2.70xc742No error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:07.699517012 CET8.8.8.8192.168.2.70xc742No error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:09.469949961 CET8.8.8.8192.168.2.70x23b3No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:13.504885912 CET8.8.8.8192.168.2.70x111dNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:16.571065903 CET8.8.8.8192.168.2.70x9783No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:25.440049887 CET8.8.8.8192.168.2.70x385cNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:28.383287907 CET8.8.8.8192.168.2.70x7d35No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:32.046541929 CET8.8.8.8192.168.2.70x7d75No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:36.145209074 CET8.8.8.8192.168.2.70xd9edNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:42.914623976 CET8.8.8.8192.168.2.70xca66No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:45.673918009 CET8.8.8.8192.168.2.70x5193No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:48.450041056 CET8.8.8.8192.168.2.70xab93No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:52.358680964 CET8.8.8.8192.168.2.70xde52No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:54.234499931 CET8.8.8.8192.168.2.70xc204No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:11:58.406557083 CET8.8.8.8192.168.2.70x5f3aNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:12:20.772998095 CET8.8.8.8192.168.2.70x5c6cNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                          Feb 1, 2021 09:12:27.620141029 CET8.8.8.8192.168.2.70xf851No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • checkip.dyndns.org
                                                                                                          • whatismyipaddress.com

                                                                                                          HTTP Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          0192.168.2.749723216.146.43.7180C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Feb 1, 2021 09:09:07.645061016 CET567OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Feb 1, 2021 09:09:07.720357895 CET568INHTTP/1.1 200 OK
                                                                                                          Content-Type: text/html
                                                                                                          Server: DynDNS-CheckIP/1.0.1
                                                                                                          Connection: close
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Content-Length: 103
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          1192.168.2.749724104.16.155.3680C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Feb 1, 2021 09:09:08.062127113 CET572OUTGET / HTTP/1.1
                                                                                                          Host: whatismyipaddress.com
                                                                                                          Connection: Keep-Alive
                                                                                                          Feb 1, 2021 09:09:08.110975981 CET573INHTTP/1.1 403 Forbidden
                                                                                                          Date: Mon, 01 Feb 2021 08:09:08 GMT
                                                                                                          Content-Type: text/plain; charset=UTF-8
                                                                                                          Content-Length: 16
                                                                                                          Connection: keep-alive
                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                          Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                          Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                          Set-Cookie: __cfduid=dc0f576a6bdb740121a521b10e56e0abf1612166948; expires=Wed, 03-Mar-21 08:09:08 GMT; path=/; domain=.whatismyipaddress.com; HttpOnly; SameSite=Lax; Secure
                                                                                                          cf-request-id: 07fe3c7cfe00002c2a3a09c000000001
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 61aa30419eee2c2a-FRA
                                                                                                          alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                          Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                                                                          Data Ascii: error code: 1020


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          10192.168.2.749799131.186.161.7080C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Feb 1, 2021 09:11:12.173727036 CET6009OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Feb 1, 2021 09:11:12.333193064 CET6010INHTTP/1.1 200 OK
                                                                                                          Content-Type: text/html
                                                                                                          Server: DynDNS-CheckIP/1.0.1
                                                                                                          Connection: close
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Content-Length: 103
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          2192.168.2.749725216.146.43.7180C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Feb 1, 2021 09:09:08.100845098 CET573OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Feb 1, 2021 09:09:08.176124096 CET574INHTTP/1.1 200 OK
                                                                                                          Content-Type: text/html
                                                                                                          Server: DynDNS-CheckIP/1.0.1
                                                                                                          Connection: close
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Content-Length: 103
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          3192.168.2.749728216.146.43.7180C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Feb 1, 2021 09:09:13.581939936 CET608OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Feb 1, 2021 09:09:13.654850006 CET609INHTTP/1.1 200 OK
                                                                                                          Content-Type: text/html
                                                                                                          Server: DynDNS-CheckIP/1.0.1
                                                                                                          Connection: close
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Content-Length: 103
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          4192.168.2.749731216.146.43.7180C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Feb 1, 2021 09:09:13.931035995 CET612OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Feb 1, 2021 09:09:14.003762960 CET613INHTTP/1.1 200 OK
                                                                                                          Content-Type: text/html
                                                                                                          Server: DynDNS-CheckIP/1.0.1
                                                                                                          Connection: close
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Content-Length: 103
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          5192.168.2.749732216.146.43.7180C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Feb 1, 2021 09:09:14.307152987 CET625OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Feb 1, 2021 09:09:14.379973888 CET626INHTTP/1.1 200 OK
                                                                                                          Content-Type: text/html
                                                                                                          Server: DynDNS-CheckIP/1.0.1
                                                                                                          Connection: close
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Content-Length: 103
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          6192.168.2.749787131.186.161.7080C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Feb 1, 2021 09:10:47.107336998 CET4601OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Feb 1, 2021 09:10:47.255414963 CET4602INHTTP/1.1 200 OK
                                                                                                          Content-Type: text/html
                                                                                                          Server: DynDNS-CheckIP/1.0.1
                                                                                                          Connection: close
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Content-Length: 103
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          7192.168.2.749789131.186.161.7080C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Feb 1, 2021 09:10:48.602536917 CET4673OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Feb 1, 2021 09:10:48.751554966 CET4708INHTTP/1.1 200 OK
                                                                                                          Content-Type: text/html
                                                                                                          Server: DynDNS-CheckIP/1.0.1
                                                                                                          Connection: close
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Content-Length: 103
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          8192.168.2.749796131.186.161.7080C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Feb 1, 2021 09:11:09.370810032 CET5998OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Feb 1, 2021 09:11:09.519227028 CET5999INHTTP/1.1 200 OK
                                                                                                          Content-Type: text/html
                                                                                                          Server: DynDNS-CheckIP/1.0.1
                                                                                                          Connection: close
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Content-Length: 103
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          9192.168.2.749798131.186.161.7080C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Feb 1, 2021 09:11:10.578613997 CET6002OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Feb 1, 2021 09:11:10.729428053 CET6003INHTTP/1.1 200 OK
                                                                                                          Content-Type: text/html
                                                                                                          Server: DynDNS-CheckIP/1.0.1
                                                                                                          Connection: close
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Content-Length: 103
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                          HTTPS Packets

                                                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                          Feb 1, 2021 09:09:12.846597910 CET172.67.188.154443192.168.2.749727CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                          CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                          Feb 1, 2021 09:11:08.080755949 CET172.67.188.154443192.168.2.749795CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                          CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                                                          SMTP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                          Feb 1, 2021 09:09:26.070074081 CET58749738199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:26.070111990 CET58749737199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:26.542262077 CET58749739199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:26.542965889 CET49739587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:26.733292103 CET58749739199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:26.734201908 CET49739587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:26.924452066 CET58749739199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:27.786823988 CET58749742199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:27.787065029 CET49742587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:27.977489948 CET58749742199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:27.978559017 CET49742587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:28.168705940 CET58749742199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:29.291637897 CET58749743199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:30.307683945 CET58749745199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:30.307943106 CET49745587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:30.498460054 CET58749745199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:31.624129057 CET58749748199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:31.624366045 CET49748587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:31.828180075 CET58749748199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:32.868763924 CET58749751199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:32.869801998 CET49751587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:33.060775995 CET58749751199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:33.062131882 CET49751587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:33.252234936 CET58749751199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:34.245853901 CET58749753199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:34.246131897 CET49753587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:34.448278904 CET58749753199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:34.449254990 CET49753587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:34.650857925 CET58749753199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:35.666815996 CET58749754199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:35.667145014 CET49754587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:35.857842922 CET58749754199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:35.858234882 CET49754587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:36.048633099 CET58749754199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:37.258519888 CET58749755199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:37.259180069 CET49755587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:37.451942921 CET58749755199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:37.452792883 CET49755587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:37.643287897 CET58749755199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:38.968457937 CET58749756199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:39.210808039 CET49756587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:39.402767897 CET58749756199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:39.403079033 CET49756587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:39.593038082 CET58749756199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:41.499866962 CET58749757199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:41.500339985 CET49757587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:41.697587967 CET58749757199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:41.697896957 CET49757587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:41.888237000 CET58749757199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:44.015326023 CET58749759199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:44.015656948 CET49759587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:44.206387043 CET58749759199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:44.206798077 CET49759587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:44.397104025 CET58749759199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:46.010077000 CET58749760199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:46.010464907 CET49760587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:46.200963020 CET58749760199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:46.201350927 CET49760587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:46.391472101 CET58749760199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:46.482547998 CET58749761199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:46.483606100 CET49761587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:46.674180984 CET58749761199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:46.674539089 CET49761587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:46.864466906 CET58749761199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:49.021258116 CET58749762199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:49.021744013 CET49762587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:49.212696075 CET58749762199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:49.213063002 CET49762587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:49.403084040 CET58749762199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:49.839150906 CET58749763199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:49.841936111 CET49763587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:50.032761097 CET58749763199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:50.050349951 CET49763587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:50.241517067 CET58749763199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:51.662520885 CET58749765199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:51.662803888 CET49765587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:51.853629112 CET58749765199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:51.853926897 CET49765587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:52.044117928 CET58749765199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:52.848010063 CET58749766199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:52.848278046 CET49766587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:53.039519072 CET58749766199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:53.039921999 CET49766587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:53.230359077 CET58749766199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:54.561728954 CET58749767199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:54.563697100 CET49767587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:54.766259909 CET58749767199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:54.766680002 CET49767587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:54.968338966 CET58749767199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:55.573234081 CET58749768199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:55.573508978 CET49768587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:55.775157928 CET58749768199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:55.775793076 CET49768587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:55.977308035 CET58749768199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:09:57.456283092 CET58749769199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:09:57.574637890 CET49769587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:09:57.765743017 CET58749769199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:09:57.766030073 CET49769587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:09:57.956275940 CET58749769199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:00.257128954 CET58749770199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:00.257553101 CET49770587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:00.448805094 CET58749770199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:00.449398994 CET49770587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:00.639345884 CET58749770199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:01.746170998 CET58749771199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:01.746746063 CET49771587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:01.938466072 CET58749771199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:01.939042091 CET49771587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:02.129501104 CET58749771199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:03.783962011 CET58749772199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:03.786161900 CET49772587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:03.977035999 CET58749772199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:03.977274895 CET49772587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:04.167577028 CET58749772199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:07.101979017 CET58749775199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:07.102372885 CET49775587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:07.292814016 CET58749775199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:07.293241024 CET49775587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:07.483185053 CET58749775199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:09.535029888 CET58749776199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:09.535392046 CET49776587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:09.738449097 CET58749776199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:09.738662958 CET49776587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:09.940058947 CET58749776199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:10.126203060 CET58749777199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:10.126758099 CET49777587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:10.319638014 CET58749777199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:10.322546005 CET49777587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:10.512877941 CET58749777199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:12.493911982 CET58749778199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:12.494122028 CET49778587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:12.684755087 CET58749778199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:12.685213089 CET49778587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:12.875643015 CET58749778199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:15.577409029 CET58749779199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:15.579004049 CET49779587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:15.769638062 CET58749779199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:16.006798029 CET49779587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:16.196917057 CET58749779199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:21.133332014 CET58749780199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:21.133624077 CET49780587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:21.325062990 CET58749780199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:21.329714060 CET49780587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:21.520134926 CET58749780199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:28.787650108 CET58749781199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:28.788100004 CET49781587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:28.989994049 CET58749781199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:28.992012024 CET49781587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:29.193319082 CET58749781199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:31.768699884 CET58749782199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:31.769032001 CET49782587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:31.971115112 CET58749782199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:31.971417904 CET49782587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:32.173096895 CET58749782199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:35.146542072 CET58749783199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:35.637934923 CET49783587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:35.828423023 CET58749783199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:35.830838919 CET49783587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:36.021270037 CET58749783199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:39.004353046 CET58749784199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:39.004637003 CET49784587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:39.195101023 CET58749784199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:39.195441961 CET49784587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:39.385931969 CET58749784199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:44.915525913 CET58749785199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:44.915832043 CET49785587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:44.942065954 CET58749786199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:44.980981112 CET49786587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:45.106766939 CET58749785199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:45.107108116 CET49785587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:45.182934046 CET58749786199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:45.183224916 CET49786587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:45.297060013 CET58749785199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:45.384615898 CET58749786199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:48.117017984 CET58749788199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:48.117465973 CET49788587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:48.319351912 CET58749788199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:48.319853067 CET49788587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:48.520977020 CET58749788199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:51.170356035 CET58749790199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:51.170943975 CET49790587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:51.361512899 CET58749790199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:51.363917112 CET49790587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:51.554095984 CET58749790199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:55.186496973 CET58749791199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:55.186786890 CET49791587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:55.388758898 CET58749791199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:55.389046907 CET49791587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:55.590718031 CET58749791199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:10:58.619812965 CET58749792199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:10:58.620275974 CET49792587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:10:58.810789108 CET58749792199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:10:58.811338902 CET49792587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:10:59.001312971 CET58749792199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:11:06.989258051 CET58749794199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:11:06.989578009 CET49794587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:11:07.180483103 CET58749794199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:11:07.180829048 CET49794587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:11:07.371102095 CET58749794199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:11:09.861083031 CET58749797199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:11:09.861562014 CET49797587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:11:10.053507090 CET58749797199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:11:10.192938089 CET49797587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:11:10.383337021 CET58749797199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:11:13.928740025 CET58749800199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:11:13.929564953 CET49800587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:11:14.120673895 CET58749800199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:11:14.120917082 CET49800587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:11:14.311005116 CET58749800199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:11:16.957843065 CET58749801199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:11:16.958256006 CET49801587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:11:17.149097919 CET58749801199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:11:17.149486065 CET49801587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:11:17.339823961 CET58749801199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:11:25.847112894 CET58749802199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:11:25.847930908 CET49802587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:11:26.050035954 CET58749802199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:11:26.050308943 CET49802587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:11:26.251746893 CET58749802199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:11:28.802917957 CET58749803199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:11:28.833527088 CET49803587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:11:29.023952961 CET58749803199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:11:29.026010036 CET49803587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:11:29.216161013 CET58749803199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:11:32.431086063 CET58749804199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:11:32.431371927 CET49804587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:11:32.621973991 CET58749804199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:11:32.622179985 CET49804587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:11:32.812243938 CET58749804199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:11:36.533087015 CET58749805199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:11:36.533415079 CET49805587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:11:36.724807978 CET58749805199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:11:36.725079060 CET49805587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:11:36.915260077 CET58749805199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:11:43.302206039 CET58749806199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:11:43.302654028 CET49806587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:11:43.494328022 CET58749806199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:11:43.495074987 CET49806587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:11:43.689754963 CET58749806199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:11:46.058482885 CET58749807199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:11:46.058820009 CET49807587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:11:46.249675035 CET58749807199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:11:46.250040054 CET49807587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:11:46.440186024 CET58749807199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:11:48.836632013 CET58749808199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:11:48.837008953 CET49808587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:11:49.028070927 CET58749808199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:11:49.029051065 CET49808587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:11:49.219455004 CET58749808199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:11:52.743582964 CET58749809199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:11:52.743916035 CET49809587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:11:52.934200048 CET58749809199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:11:52.936620951 CET49809587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:11:53.126874924 CET58749809199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:11:54.619864941 CET58749810199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:11:54.647011995 CET49810587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:11:54.837656021 CET58749810199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:11:54.846385956 CET49810587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:11:55.036645889 CET58749810199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:11:58.793193102 CET58749811199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:11:58.793859005 CET49811587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:11:58.984339952 CET58749811199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:11:58.989474058 CET49811587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:11:59.181180000 CET58749811199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:11:59.259850025 CET58749812199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:11:59.263751984 CET49812587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:11:59.466017008 CET58749812199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:11:59.466502905 CET49812587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:11:59.670650959 CET58749812199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:01.388549089 CET58749813199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:01.392748117 CET49813587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:01.584903002 CET58749813199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:01.585129023 CET49813587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:01.777091980 CET58749813199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:01.961464882 CET58749814199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:01.961730003 CET49814587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:02.152362108 CET58749814199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:02.152602911 CET49814587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:02.342701912 CET58749814199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:03.983864069 CET58749815199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:03.985244989 CET49815587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:04.177360058 CET58749815199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:04.177632093 CET49815587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:04.367909908 CET58749815199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:04.554404974 CET58749816199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:04.554629087 CET49816587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:04.746764898 CET58749816199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:04.747014999 CET49816587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:04.938620090 CET58749816199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:06.715044022 CET58749817199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:06.715224981 CET49817587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:06.907890081 CET58749817199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:06.908099890 CET49817587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:07.098213911 CET58749817199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:07.172305107 CET58749818199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:07.172955990 CET49818587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:07.364784956 CET58749818199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:07.367861986 CET49818587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:07.557900906 CET58749818199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:09.752533913 CET58749819199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:09.752826929 CET49819587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:09.954586983 CET58749819199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:09.954838037 CET49819587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:10.156296015 CET58749819199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:12.457586050 CET58749820199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:12.461524010 CET49820587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:12.652834892 CET58749820199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:12.653201103 CET49820587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:12.843120098 CET58749820199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:13.160633087 CET58749821199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:13.160934925 CET49821587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:13.351763010 CET58749821199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:13.352152109 CET49821587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:13.542532921 CET58749821199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:15.160967112 CET58749822199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:15.161264896 CET49822587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:15.352116108 CET58749822199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:15.352284908 CET49822587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:15.542378902 CET58749822199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:15.737823963 CET58749823199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:15.738181114 CET49823587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:15.928592920 CET58749823199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:15.928860903 CET49823587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:16.118854046 CET58749823199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:18.322319984 CET58749824199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:18.322577953 CET49824587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:18.524908066 CET58749824199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:18.525171041 CET49824587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:18.726607084 CET58749824199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:21.158082008 CET58749825199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:21.158349991 CET49825587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:21.349931002 CET58749825199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:21.350169897 CET49825587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:21.540354967 CET58749825199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:21.732372999 CET58749826199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:21.732527971 CET49826587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:21.924051046 CET58749826199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:21.924277067 CET49826587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:22.114543915 CET58749826199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:23.744049072 CET58749827199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:23.746469975 CET49827587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:23.951492071 CET58749827199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:23.951726913 CET49827587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:24.153302908 CET58749827199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:24.308339119 CET58749828199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:24.308604956 CET49828587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:24.500384092 CET58749828199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:24.500648975 CET49828587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:24.690989017 CET58749828199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:26.428899050 CET58749829199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:26.430429935 CET49829587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:26.621756077 CET58749829199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:26.622150898 CET49829587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:26.812263012 CET58749829199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:26.874424934 CET58749830199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:26.874878883 CET49830587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:27.065745115 CET58749830199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:27.066075087 CET49830587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:27.256088018 CET58749830199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:28.022768974 CET58749831199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:28.023227930 CET49831587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:28.214212894 CET58749831199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:28.214597940 CET49831587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:28.404983997 CET58749831199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:29.121412992 CET58749832199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:29.121841908 CET49832587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:29.312783003 CET58749832199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:29.313154936 CET49832587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:29.473010063 CET58749833199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:29.473433018 CET49833587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:29.503571033 CET58749832199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:29.664067984 CET58749833199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:29.664412022 CET49833587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:29.854438066 CET58749833199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:32.030654907 CET58749834199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:32.030946970 CET49834587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:32.221685886 CET58749834199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:32.221980095 CET49834587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:32.411899090 CET58749834199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:34.612339020 CET58749835199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:34.612685919 CET49835587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:34.803423882 CET58749835199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:34.803705931 CET49835587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:34.994025946 CET58749835199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                          Feb 1, 2021 09:12:35.593287945 CET58749836199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                          Feb 1, 2021 09:12:35.593636036 CET49836587192.168.2.7199.193.7.228EHLO 320946
                                                                                                          Feb 1, 2021 09:12:35.796199083 CET58749836199.193.7.228192.168.2.7250-mta-12.privateemail.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 81788928
                                                                                                          250-ETRN
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 STARTTLS
                                                                                                          Feb 1, 2021 09:12:35.796957970 CET49836587192.168.2.7199.193.7.228STARTTLS
                                                                                                          Feb 1, 2021 09:12:35.998684883 CET58749836199.193.7.228192.168.2.7220 Ready to start TLS

                                                                                                          Code Manipulations

                                                                                                          Statistics

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          Analysis Process: Orders.exe PID: 6824 Parent PID: 5848

                                                                                                          General

                                                                                                          Start time:09:08:45
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Users\user\Desktop\Orders.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\Orders.exe'
                                                                                                          Imagebase:0x920000
                                                                                                          File size:1630720 bytes
                                                                                                          MD5 hash:E85DAF3A43F107B213310A53BFD35AA9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Reputation:low

                                                                                                          Analysis Process: powershell.exe PID: 6896 Parent PID: 6824

                                                                                                          General

                                                                                                          Start time:09:08:47
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Orders.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                                                                                                          Imagebase:0x1110000
                                                                                                          File size:430592 bytes
                                                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Reputation:high

                                                                                                          Analysis Process: conhost.exe PID: 6912 Parent PID: 6896

                                                                                                          General

                                                                                                          Start time:09:08:47
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff774ee0000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: RegAsm.exe PID: 7000 Parent PID: 6824

                                                                                                          General

                                                                                                          Start time:09:08:49
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          Imagebase:0xbc0000
                                                                                                          File size:64616 bytes
                                                                                                          MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Visual Basic
                                                                                                          Yara matches:
                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.251635347.0000000003EBD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.256024655.0000000001293000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.255331829.0000000003EBD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.249596324.0000000001293000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.254611636.0000000003BAB000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.255709181.0000000003E51000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.249733611.0000000003BAB000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.251501400.0000000001293000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.246897806.0000000001293000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.246965930.0000000003B41000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.251891646.0000000003BAB000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          Reputation:moderate

                                                                                                          Analysis Process: hawkgoods.exe PID: 7064 Parent PID: 7000

                                                                                                          General

                                                                                                          Start time:09:08:52
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                                                                                                          Imagebase:0x670000
                                                                                                          File size:532992 bytes
                                                                                                          MD5 hash:FFDB58533D5D1362E896E96FB6F02A95
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000002.503829429.0000000003E11000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.503829429.0000000003E11000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000006.00000002.520293841.0000000007DA0000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000006.00000000.249359249.0000000000672000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000006.00000002.489137354.0000000000672000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000002.489137354.0000000000672000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000002.489137354.0000000000672000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.489137354.0000000000672000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000006.00000002.489137354.0000000000672000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000006.00000002.520422224.0000000007DF0000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000006.00000002.498581730.0000000002E11000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Arnim Rupp
                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: JPCERT/CC Incident Response Group
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Avira
                                                                                                          • Detection: 100%, Avira
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          • Detection: 96%, ReversingLabs
                                                                                                          Reputation:low

                                                                                                          Analysis Process: origigoods40.exe PID: 7116 Parent PID: 7000

                                                                                                          General

                                                                                                          Start time:09:08:52
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\origigoods40.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                                                                                                          Imagebase:0xf0000
                                                                                                          File size:221696 bytes
                                                                                                          MD5 hash:AE36F0D16230B9F41FFECBD3C5B1D660
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.251123537.00000000000F2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.427828296.00000000000F2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.445240887.0000000002501000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.445240887.0000000002501000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Avira
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          • Detection: 43%, Metadefender, Browse
                                                                                                          • Detection: 83%, ReversingLabs
                                                                                                          Reputation:low

                                                                                                          Analysis Process: Matiexgoods.exe PID: 7148 Parent PID: 7000

                                                                                                          General

                                                                                                          Start time:09:08:53
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                                                                                                          Imagebase:0x320000
                                                                                                          File size:455680 bytes
                                                                                                          MD5 hash:80C61B903400B534858D047DD0919F0E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000009.00000000.253083713.0000000000322000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Avira
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          • Detection: 46%, Metadefender, Browse
                                                                                                          • Detection: 86%, ReversingLabs
                                                                                                          Reputation:low

                                                                                                          Analysis Process: origigoods20.exe PID: 5580 Parent PID: 7000

                                                                                                          General

                                                                                                          Start time:09:08:54
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\origigoods20.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                                                                                                          Imagebase:0x680000
                                                                                                          File size:220672 bytes
                                                                                                          MD5 hash:61DC57C6575E1F3F2AE14C1B332AD2FB
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.416654984.0000000000682000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.254178193.0000000000682000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.448946669.0000000002E51000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.448946669.0000000002E51000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Avira
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          • Detection: 43%, Metadefender, Browse
                                                                                                          • Detection: 86%, ReversingLabs
                                                                                                          Reputation:low

                                                                                                          Analysis Process: WerFault.exe PID: 2116 Parent PID: 6824

                                                                                                          General

                                                                                                          Start time:09:08:54
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 1104
                                                                                                          Imagebase:0xe0000
                                                                                                          File size:434592 bytes
                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Reputation:high

                                                                                                          Analysis Process: dw20.exe PID: 6008 Parent PID: 7064

                                                                                                          General

                                                                                                          Start time:09:09:08
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:dw20.exe -x -s 2132
                                                                                                          Imagebase:0x10000000
                                                                                                          File size:33936 bytes
                                                                                                          MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: vbc.exe PID: 6288 Parent PID: 7064

                                                                                                          General

                                                                                                          Start time:09:09:11
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                          Wow64 process (32bit):
                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                                                          Imagebase:
                                                                                                          File size:1171592 bytes
                                                                                                          MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: vbc.exe PID: 976 Parent PID: 7064

                                                                                                          General

                                                                                                          Start time:09:09:11
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                                                          Imagebase:0x400000
                                                                                                          File size:1171592 bytes
                                                                                                          MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: WerFault.exe PID: 2324 Parent PID: 7064

                                                                                                          General

                                                                                                          Start time:09:09:14
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 2132
                                                                                                          Imagebase:0xe0000
                                                                                                          File size:434592 bytes
                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Reputation:high

                                                                                                          Analysis Process: WerFault.exe PID: 6308 Parent PID: 976

                                                                                                          General

                                                                                                          Start time:09:09:14
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 176
                                                                                                          Imagebase:0xe0000
                                                                                                          File size:434592 bytes
                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: netsh.exe PID: 6780 Parent PID: 7148

                                                                                                          General

                                                                                                          Start time:09:09:37
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'netsh' wlan show profile
                                                                                                          Imagebase:0x1650000
                                                                                                          File size:82944 bytes
                                                                                                          MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: conhost.exe PID: 1404 Parent PID: 6780

                                                                                                          General

                                                                                                          Start time:09:09:39
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff774ee0000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: I$s#$lT3ssl.exe PID: 5184 Parent PID: 3292

                                                                                                          General

                                                                                                          Start time:09:09:48
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                                                                                                          Imagebase:0x770000
                                                                                                          File size:1630720 bytes
                                                                                                          MD5 hash:E85DAF3A43F107B213310A53BFD35AA9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001E.00000002.638917740.0000000003D14000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          • Detection: 22%, ReversingLabs
                                                                                                          Reputation:low

                                                                                                          Analysis Process: powershell.exe PID: 5296 Parent PID: 5184

                                                                                                          General

                                                                                                          Start time:09:09:51
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                                                                                                          Imagebase:0x1110000
                                                                                                          File size:430592 bytes
                                                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Reputation:high

                                                                                                          Analysis Process: conhost.exe PID: 5428 Parent PID: 5296

                                                                                                          General

                                                                                                          Start time:09:09:52
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff774ee0000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language

                                                                                                          Analysis Process: RegAsm.exe PID: 5468 Parent PID: 5184

                                                                                                          General

                                                                                                          Start time:09:09:54
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          Imagebase:0xd30000
                                                                                                          File size:64616 bytes
                                                                                                          MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Visual Basic
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000003.409742316.0000000003D5B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000003.401891116.0000000001453000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000003.402397368.000000000405D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000003.413799540.0000000003FF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000003.392335998.0000000003CF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.419539821.0000000000403000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000003.397781851.0000000003D5B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000003.385572050.0000000003750000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000003.402832252.0000000003D5B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000003.388318104.0000000001453000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000021.00000003.399192472.0000000003940000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000003.412233865.000000000405D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000003.397017946.0000000001453000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000003.415754718.0000000001453000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000021.00000003.400705321.0000000003940000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000021.00000003.391416001.0000000003C10000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                          Analysis Process: WerFault.exe PID: 2160 Parent PID: 5184

                                                                                                          General

                                                                                                          Start time:09:09:59
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 1096
                                                                                                          Imagebase:0xe0000
                                                                                                          File size:434592 bytes
                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET

                                                                                                          Analysis Process: hawkgoods.exe PID: 4388 Parent PID: 5468

                                                                                                          General

                                                                                                          Start time:09:10:00
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                                                                                                          Imagebase:0x3d0000
                                                                                                          File size:532992 bytes
                                                                                                          MD5 hash:FFDB58533D5D1362E896E96FB6F02A95
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000024.00000000.396471028.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000024.00000000.396471028.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000024.00000000.396471028.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000024.00000000.396471028.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000024.00000000.396471028.00000000003D2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000024.00000002.403481991.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000024.00000002.403481991.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000024.00000002.403481991.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000024.00000002.403481991.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000024.00000002.403481991.00000000003D2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                                          Analysis Process: origigoods40.exe PID: 5692 Parent PID: 5468

                                                                                                          General

                                                                                                          Start time:09:10:01
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\origigoods40.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                                                                                                          Imagebase:0x7ff724940000
                                                                                                          File size:221696 bytes
                                                                                                          MD5 hash:AE36F0D16230B9F41FFECBD3C5B1D660
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000000.399012238.0000000000E72000.00000002.00020000.sdmp, Author: Joe Security

                                                                                                          Analysis Process: Matiexgoods.exe PID: 6724 Parent PID: 5468

                                                                                                          General

                                                                                                          Start time:09:10:04
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                                                                                                          Imagebase:0x6e0000
                                                                                                          File size:455680 bytes
                                                                                                          MD5 hash:80C61B903400B534858D047DD0919F0E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000026.00000000.405296344.00000000006E2000.00000002.00020000.sdmp, Author: Joe Security

                                                                                                          Analysis Process: origigoods20.exe PID: 5612 Parent PID: 5468

                                                                                                          General

                                                                                                          Start time:09:10:05
                                                                                                          Start date:01/02/2021
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\origigoods20.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                                                                                                          Imagebase:0x530000
                                                                                                          File size:220672 bytes
                                                                                                          MD5 hash:61DC57C6575E1F3F2AE14C1B332AD2FB
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000027.00000000.408264262.0000000000532000.00000002.00020000.sdmp, Author: Joe Security

                                                                                                          Disassembly

                                                                                                          Code Analysis

                                                                                                          Reset < >