Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Payment Advice 80642111.exe

Overview

General Information

Sample Name:Payment Advice 80642111.exe
Analysis ID:357080
MD5:85bd30d4211b1dff2fe6847502341831
SHA1:74fdf25bef9f31e311b21d8ca572f834d03134c0
SHA256:6f2af9503a84bf2c99e0bbf735b953a7551f7ff78f87c9ad84e8aff091f2ae10
Tags:exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Beds Obfuscator
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Payment Advice 80642111.exe (PID: 6428 cmdline: 'C:\Users\user\Desktop\Payment Advice 80642111.exe' MD5: 85BD30D4211B1DFF2FE6847502341831)
    • Payment Advice 80642111.exe (PID: 6464 cmdline: C:\Users\user\Desktop\Payment Advice 80642111.exe MD5: 85BD30D4211B1DFF2FE6847502341831)
    • Payment Advice 80642111.exe (PID: 6488 cmdline: C:\Users\user\Desktop\Payment Advice 80642111.exe MD5: 85BD30D4211B1DFF2FE6847502341831)
    • Payment Advice 80642111.exe (PID: 6496 cmdline: C:\Users\user\Desktop\Payment Advice 80642111.exe MD5: 85BD30D4211B1DFF2FE6847502341831)
    • Payment Advice 80642111.exe (PID: 6508 cmdline: C:\Users\user\Desktop\Payment Advice 80642111.exe MD5: 85BD30D4211B1DFF2FE6847502341831)
      • vbc.exe (PID: 7116 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 3220 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 7124 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 204 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 5480 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 85BD30D4211B1DFF2FE6847502341831)
    • WindowsUpdate.exe (PID: 6228 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe MD5: 85BD30D4211B1DFF2FE6847502341831)
      • vbc.exe (PID: 6452 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6876 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • WindowsUpdate.exe (PID: 804 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 85BD30D4211B1DFF2FE6847502341831)
    • WindowsUpdate.exe (PID: 6992 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe MD5: 85BD30D4211B1DFF2FE6847502341831)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000004.00000002.293943590.0000000008500000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x39848:$hawkstr1: HawkEye Keylogger
        • 0x3cd6c:$hawkstr1: HawkEye Keylogger
        • 0x3d148:$hawkstr1: HawkEye Keylogger
        • 0x41d4c:$hawkstr1: HawkEye Keylogger
        • 0x1452f0:$hawkstr1: HawkEye Keylogger
        • 0x39300:$hawkstr2: Dear HawkEye Customers!
        • 0x3cdcc:$hawkstr2: Dear HawkEye Customers!
        • 0x3d1a8:$hawkstr2: Dear HawkEye Customers!
        • 0x3942e:$hawkstr3: HawkEye Logger Details:
        Click to see the 68 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.Payment Advice 80642111.exe.400000.0.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        4.2.Payment Advice 80642111.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b90f:$key: HawkEyeKeylogger
        • 0x7db45:$salt: 099u787978786
        • 0x7bf1c:$string1: HawkEye_Keylogger
        • 0x7cd6f:$string1: HawkEye_Keylogger
        • 0x7daa5:$string1: HawkEye_Keylogger
        • 0x7c305:$string2: holdermail.txt
        • 0x7c325:$string2: holdermail.txt
        • 0x7c247:$string3: wallet.dat
        • 0x7c25f:$string3: wallet.dat
        • 0x7c275:$string3: wallet.dat
        • 0x7d687:$string4: Keylog Records
        • 0x7d99f:$string4: Keylog Records
        • 0x7db9d:$string5: do not script -->
        • 0x7b8f7:$string6: \pidloc.txt
        • 0x7b951:$string7: BSPLIT
        • 0x7b961:$string7: BSPLIT
        4.2.Payment Advice 80642111.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          4.2.Payment Advice 80642111.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            4.2.Payment Advice 80642111.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Click to see the 158 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: Payment Advice 80642111.exe.6428.0.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMetadefender: Detection: 18%Perma Link
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 67%
              Multi AV Scanner detection for submitted fileShow sources
              Source: Payment Advice 80642111.exeVirustotal: Detection: 61%Perma Link
              Source: Payment Advice 80642111.exeMetadefender: Detection: 18%Perma Link
              Source: Payment Advice 80642111.exeReversingLabs: Detection: 67%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: Payment Advice 80642111.exeJoe Sandbox ML: detected
              Source: 4.2.Payment Advice 80642111.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 4.2.Payment Advice 80642111.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 23.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 23.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 27.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 27.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 4.2.Payment Advice 80642111.exe.296f4cc.5.unpackAvira: Label: TR/Inject.vcoldi

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: Payment Advice 80642111.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
              Source: Payment Advice 80642111.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Binary contains paths to debug symbolsShow sources
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdb source: WerFault.exe, 00000011.00000002.321325415.0000000005640000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.330031093.0000000004D10000.00000002.00000001.sdmp
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.280032093.00000000034B6000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
              Source: Binary string: RunPE.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232184557.00000000029FF000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.301909823.00000000027F1000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.317588964.0000000002FA1000.00000004.00000001.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.280247673.00000000034AD000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
              Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.280247673.00000000034AD000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.507838378.0000000007CD0000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp
              Source: Binary string: symbols\dll\System.Runtime.Remoting.pdb source: WindowsUpdate.exe, 00000017.00000002.507957989.0000000007F7B000.00000004.00000001.sdmp
              Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.280233741.00000000034A7000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.282337296.0000000005551000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
              Source: Binary string: jPC:\Windows\System.Runtime.Remoting.pdb source: WindowsUpdate.exe, 00000017.00000002.507957989.0000000007F7B000.00000004.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283236826.0000000003939000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001D.00000002.343283889.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: System.Runtime.Remoting.pdb source: WindowsUpdate.exe, 00000017.00000002.507205242.0000000007078000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.282337296.0000000005551000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
              Source: Binary string: System.pdb source: WindowsUpdate.exe, 00000017.00000002.507205242.0000000007078000.00000004.00000001.sdmp
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdbpUNzUN source: WerFault.exe, 00000011.00000002.321325415.0000000005640000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.330031093.0000000004D10000.00000002.00000001.sdmp
              Source: Binary string: System.Runtime.Remoting.pdb0 source: WindowsUpdate.exe, 00000017.00000002.507205242.0000000007078000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.280226509.00000000034A1000.00000004.00000001.sdmp
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: Payment Advice 80642111.exe, 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: Payment Advice 80642111.exe, 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 4x nop then jmp 04FBA630h
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 4x nop then jmp 04FBA630h
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then jmp 0523A630h
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then jmp 0523A630h
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: global trafficTCP traffic: 192.168.2.5:49726 -> 31.209.137.12:587
              Source: Joe Sandbox ViewIP Address: 31.209.137.12 31.209.137.12
              Source: global trafficTCP traffic: 192.168.2.5:49726 -> 31.209.137.12:587
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exe, 0000001C.00000003.346102030.0000000000A8E000.00000004.00000001.sdmpString found in binary or memory: f?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.facebook.com (Facebook)
              Source: vbc.exe, 0000001C.00000003.346102030.0000000000A8E000.00000004.00000001.sdmpString found in binary or memory: f?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: 10.76.9.0.in-addr.arpa
              Source: WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmpString found in binary or memory: http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/
              Source: WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
              Source: WindowsUpdate.exe, 00000017.00000002.507092380.0000000007036000.00000004.00000001.sdmpString found in binary or memory: http://cps.root
              Source: WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: WindowsUpdate.exe, 00000017.00000002.507092380.0000000007036000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.cr:
              Source: WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
              Source: WerFault.exe, 00000012.00000003.320829363.0000000000A33000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro
              Source: WindowsUpdate.exe, 00000017.00000002.507254853.0000000007097000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
              Source: Payment Advice 80642111.exe, 00000004.00000003.235761615.0000000005AFD000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: WindowsUpdate.exe, 0000001B.00000002.327611606.00000000033F1000.00000004.00000001.sdmpString found in binary or memory: http://foo.com/foo
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
              Source: WindowsUpdate.exe, 00000017.00000002.507092380.0000000007036000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0f
              Source: WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
              Source: Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.327611606.00000000033F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: Payment Advice 80642111.exe, 00000004.00000003.238762251.0000000005B2C000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: Payment Advice 80642111.exe, 00000004.00000003.240153326.0000000005B2E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: Payment Advice 80642111.exe, 00000004.00000003.240153326.0000000005B2E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/B
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: Payment Advice 80642111.exe, 00000004.00000003.241248337.0000000005B2E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html8G
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: Payment Advice 80642111.exe, 00000004.00000003.242522578.0000000005B2E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersN
              Source: Payment Advice 80642111.exe, 00000004.00000003.240736289.0000000005B2E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersY
              Source: Payment Advice 80642111.exe, 00000004.00000003.242522578.0000000005B2E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
              Source: Payment Advice 80642111.exe, 00000004.00000003.242433196.0000000005B2E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersx
              Source: Payment Advice 80642111.exe, 00000004.00000002.287976818.0000000005AFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
              Source: Payment Advice 80642111.exe, 00000004.00000002.287976818.0000000005AFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coml1
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: Payment Advice 80642111.exe, 00000004.00000003.236783840.0000000005B1E000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: Payment Advice 80642111.exe, 00000004.00000003.236653540.0000000005B1E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnF
              Source: Payment Advice 80642111.exe, 00000004.00000003.237023942.0000000005AFC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnicryz
              Source: Payment Advice 80642111.exe, 00000004.00000003.237023942.0000000005AFC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt;
              Source: Payment Advice 80642111.exe, 00000004.00000003.237023942.0000000005AFC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cny
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: Payment Advice 80642111.exe, 00000004.00000003.243159760.0000000005B21000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: Payment Advice 80642111.exe, 00000004.00000003.243159760.0000000005B21000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmh
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: Payment Advice 80642111.exe, 00000004.00000003.237769137.0000000005AF4000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-
              Source: Payment Advice 80642111.exe, 00000004.00000003.237769137.0000000005AF4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//(
              Source: Payment Advice 80642111.exe, 00000004.00000003.237769137.0000000005AF4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
              Source: Payment Advice 80642111.exe, 00000004.00000003.237769137.0000000005AF4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
              Source: Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Jy
              Source: Payment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Ky
              Source: Payment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Ty
              Source: Payment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/fr-c
              Source: Payment Advice 80642111.exe, 00000004.00000003.238336955.0000000005AF5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/gy
              Source: Payment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
              Source: Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: Payment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/?
              Source: Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Ty
              Source: Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/gy
              Source: Payment Advice 80642111.exe, 00000004.00000003.237769137.0000000005AF4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/yy
              Source: Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
              Source: vbc.exe, 0000001C.00000002.346625388.0000000000608000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
              Source: vbc.exe, 0000001C.00000002.346625388.0000000000608000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
              Source: vbc.exe, 0000001D.00000002.343283889.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: Payment Advice 80642111.exe, 00000004.00000003.237013015.0000000005B1E000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comN
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: vbc.exe, 0000001C.00000002.346657064.000000000061D000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
              Source: vbc.exe, 0000001C.00000002.346657064.000000000061D000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.p
              Source: vbc.exe, 0000001C.00000002.346657064.000000000061D000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=(
              Source: vbc.exe, 0000001C.00000003.345554125.000000000092C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
              Source: vbc.exe, 0000001C.00000003.345554125.000000000092C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
              Source: vbc.exe, 0000001C.00000003.345554125.000000000092C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
              Source: vbc.exe, 0000001C.00000003.346102030.0000000000A8E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-yo
              Source: vbc.exe, 0000001C.00000002.346657064.000000000061D000.00000004.00000020.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/TT
              Source: vbc.exe, 0000001C.00000003.345554125.000000000092C000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
              Source: vbc.exe, 0000001C.00000002.346657064.000000000061D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
              Source: vbc.exe, 0000001C.00000002.346657064.000000000061D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Advice 80642111.exe PID: 6428, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 5480, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Advice 80642111.exe PID: 6508, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 804, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6228, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6992, type: MEMORY
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.2d4b12c.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.295b39c.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Source: 23.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Source: Payment Advice 80642111.exe, 00000000.00000002.231772634.0000000000E98000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 23.2.WindowsUpdate.exe.2d4b12c.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.Payment Advice 80642111.exe.295b39c.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: Payment Advice 80642111.exe
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_089124E0 NtWriteVirtualMemory,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_08913160 NtSetContextThread,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_08911B58 NtResumeThread,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_089124D8 NtWriteVirtualMemory,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_089131F7 NtSetContextThread,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_08913158 NtSetContextThread,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_08911B52 NtResumeThread,
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 0_2_01238337
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 0_2_01239AB8
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 0_2_01236560
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 0_2_01236570
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 0_2_01239AA8
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 4_2_027EB29C
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 4_2_027EB24B
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 4_2_027EB290
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 4_2_027E99D0
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 4_2_027EDFD0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 21_2_00D69AB8
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 21_2_00D66570
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 21_2_00D66560
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 21_2_00D69AB3
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_02B3B29C
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_02B3C310
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_02B3B290
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_02B3B1F2
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_02B399D0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_02B3DFD0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_05DBB4E0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_05DBB198
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_05DBBDB0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_05DBEEC8
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_05DB0007
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_08912728
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 176
              Source: Payment Advice 80642111.exeBinary or memory string: OriginalFilename vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCaptIt.dll. vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exe, 00000000.00000002.232184557.00000000029FF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exe, 00000000.00000002.231772634.0000000000E98000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exeBinary or memory string: OriginalFilename vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exeBinary or memory string: OriginalFilename vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exeBinary or memory string: OriginalFilename vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exe, 00000004.00000002.283236826.0000000003939000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exe, 00000004.00000002.275954906.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exeBinary or memory string: OriginalFilenameScreenCapturer.exe> vs Payment Advice 80642111.exe
              Source: Payment Advice 80642111.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 00000004.00000002.293943590.0000000008500000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000002.294011237.0000000008650000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000017.00000002.507838378.0000000007CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000017.00000002.507820706.0000000007CC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.Payment Advice 80642111.exe.8500000.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 23.2.WindowsUpdate.exe.7cd0000.12.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 23.2.WindowsUpdate.exe.2d4b12c.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 23.2.WindowsUpdate.exe.2d4b12c.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 23.2.WindowsUpdate.exe.7cc0000.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.Payment Advice 80642111.exe.2972ff0.7.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.Payment Advice 80642111.exe.296f4cc.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.Payment Advice 80642111.exe.295b39c.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.Payment Advice 80642111.exe.295b39c.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.Payment Advice 80642111.exe.8650000.12.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: Payment Advice 80642111.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: WindowsUpdate.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: Payment Advice 80642111.exe, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.0.Payment Advice 80642111.exe.6d0000.0.unpack, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.2.Payment Advice 80642111.exe.6d0000.0.unpack, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.0.Payment Advice 80642111.exe.1d0000.0.unpack, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.2.Payment Advice 80642111.exe.1d0000.0.unpack, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 2.0.Payment Advice 80642111.exe.2b0000.0.unpack, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, Form1.csBase64 encoded string: '+AGFvcSQ7sospLt87BtSyu5CCeD0AahxtcUNqlQg7HubMvbKEoS3pVe0+oqcwjUD', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: 23.2.WindowsUpdate.exe.400000.0.unpack, Form1.csBase64 encoded string: '+AGFvcSQ7sospLt87BtSyu5CCeD0AahxtcUNqlQg7HubMvbKEoS3pVe0+oqcwjUD', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@25/17@3/3
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Advice 80642111.exe.logJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7124
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7116
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9CA.tmpJump to behavior
              Source: Payment Advice 80642111.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: Payment Advice 80642111.exeVirustotal: Detection: 61%
              Source: Payment Advice 80642111.exeMetadefender: Detection: 18%
              Source: Payment Advice 80642111.exeReversingLabs: Detection: 67%
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeFile read: C:\Users\user\Desktop\Payment Advice 80642111.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Payment Advice 80642111.exe 'C:\Users\user\Desktop\Payment Advice 80642111.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
              Source: unknownProcess created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
              Source: unknownProcess created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
              Source: unknownProcess created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 176
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 176
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
              Source: Payment Advice 80642111.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Payment Advice 80642111.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdb source: WerFault.exe, 00000011.00000002.321325415.0000000005640000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.330031093.0000000004D10000.00000002.00000001.sdmp
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.280032093.00000000034B6000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
              Source: Binary string: RunPE.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232184557.00000000029FF000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.301909823.00000000027F1000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.317588964.0000000002FA1000.00000004.00000001.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.280247673.00000000034AD000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
              Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.280247673.00000000034AD000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.507838378.0000000007CD0000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp
              Source: Binary string: symbols\dll\System.Runtime.Remoting.pdb source: WindowsUpdate.exe, 00000017.00000002.507957989.0000000007F7B000.00000004.00000001.sdmp
              Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.280233741.00000000034A7000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.282337296.0000000005551000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
              Source: Binary string: jPC:\Windows\System.Runtime.Remoting.pdb source: WindowsUpdate.exe, 00000017.00000002.507957989.0000000007F7B000.00000004.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283236826.0000000003939000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001D.00000002.343283889.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: System.Runtime.Remoting.pdb source: WindowsUpdate.exe, 00000017.00000002.507205242.0000000007078000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.282337296.0000000005551000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
              Source: Binary string: System.pdb source: WindowsUpdate.exe, 00000017.00000002.507205242.0000000007078000.00000004.00000001.sdmp
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdbpUNzUN source: WerFault.exe, 00000011.00000002.321325415.0000000005640000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.330031093.0000000004D10000.00000002.00000001.sdmp
              Source: Binary string: System.Runtime.Remoting.pdb0 source: WindowsUpdate.exe, 00000017.00000002.507205242.0000000007078000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.280226509.00000000034A1000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 23.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 23.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 23.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 23.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Binary contains a suspicious time stampShow sources
              Source: initial sampleStatic PE information: 0xA4622821 [Thu May 24 02:17:05 2057 UTC]
              Yara detected Beds ObfuscatorShow sources
              Source: Yara matchFile source: 00000015.00000002.309460071.0000000004DF0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.327982502.0000000005620000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.235200966.00000000050F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Advice 80642111.exe PID: 6428, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 5480, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 804, type: MEMORY
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.405b740.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.5620000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.4df0000.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.38ab740.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3b3d970.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.50f0000.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.4df0000.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.5620000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3a8b740.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.50f0000.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.395d970.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.410d970.6.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 0_2_01238A10 push dword ptr [ebp+5D906CA2h]; ret
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 4_2_027EE672 push esp; ret
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 4_2_04FBAC12 pushfd ; ret
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeCode function: 4_2_04FBFC02 push E801005Eh; ret
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 21_2_00D689C1 pushfd ; retf 0004h
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 21_2_00D689E9 pushfd ; retf 0004h
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 21_2_00D68A10 pushfd ; retf 0004h
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 21_2_00D68A39 pushfd ; retf 0004h
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 21_2_00D679C1 push es; retf 0004h
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_02B3E672 push esp; ret
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_0523FC02 push E801005Eh; ret
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_0523AC12 pushfd ; ret
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_05234A40 push 000000C3h; ret
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_0891A162 push 840760CBh; retf
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_0891A712 pushad ; iretd
              Source: initial sampleStatic PE information: section name: .text entropy: 7.9941732776
              Source: initial sampleStatic PE information: section name: .text entropy: 7.9941732776
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to dropped file
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Changes the view of files in windows explorer (hidden files and folders)Show sources
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Yara detected Beds ObfuscatorShow sources
              Source: Yara matchFile source: 00000015.00000002.309460071.0000000004DF0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.327982502.0000000005620000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.235200966.00000000050F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Advice 80642111.exe PID: 6428, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 5480, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 804, type: MEMORY
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.405b740.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.5620000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.4df0000.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.38ab740.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3b3d970.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.50f0000.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.4df0000.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.5620000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3a8b740.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.50f0000.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.395d970.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.410d970.6.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 180000
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeWindow / User API: threadDelayed 1468
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeWindow / User API: threadDelayed 4942
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exe TID: 6460Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exe TID: 6560Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exe TID: 6928Thread sleep time: -120000s >= -30000s
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exe TID: 6932Thread sleep time: -140000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5580Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 2892Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 240Thread sleep time: -120000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4948Thread sleep time: -140000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 644Thread sleep time: -41200s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5656Thread sleep time: -180000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -100000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -99859s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -99750s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -99641s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -99531s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -99422s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -99313s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -99203s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -99094s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -98969s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -98859s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -98750s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -98641s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -98531s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -98422s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -98313s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -98156s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -98047s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -97906s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -97797s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -97688s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -97547s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -97406s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -97297s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -97188s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -97047s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -96906s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -96797s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -96688s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -96547s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -96422s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -96313s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 1004Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5540Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6824Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeLast function: Thread delayed
              Source: WerFault.exe, 00000011.00000002.320639318.0000000005270000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.331226131.0000000004EA0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.330745607.0000000006560000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: WerFault.exe, 00000011.00000003.316948995.000000000347F000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.320863428.0000000000A42000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
              Source: WindowsUpdate.exe, 0000001B.00000002.325573849.00000000017A2000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: WerFault.exe, 00000011.00000002.320639318.0000000005270000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.331226131.0000000004EA0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.330745607.0000000006560000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: WerFault.exe, 00000011.00000002.320639318.0000000005270000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.331226131.0000000004EA0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.330745607.0000000006560000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: WerFault.exe, 00000011.00000003.315342519.00000000034A1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW }H
              Source: WerFault.exe, 00000012.00000003.318162252.0000000000A42000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll <arg nm="p4" val="StackHash_2720" />
              Source: WerFault.exe, 00000011.00000003.312924116.00000000034B4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: WerFault.exe, 00000011.00000002.320639318.0000000005270000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.331226131.0000000004EA0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.330745607.0000000006560000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess information queried: ProcessInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPort
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              .NET source code references suspicious native API functionsShow sources
              Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Source: 23.2.WindowsUpdate.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 23.2.WindowsUpdate.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
              Sample uses process hollowing techniqueShow sources
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
              Source: WindowsUpdate.exe, 00000017.00000002.494252563.0000000001610000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: WindowsUpdate.exe, 00000017.00000002.494252563.0000000001610000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: WindowsUpdate.exe, 00000017.00000002.494252563.0000000001610000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
              Source: WindowsUpdate.exe, 00000017.00000002.494252563.0000000001610000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
              Source: WindowsUpdate.exe, 00000017.00000002.494252563.0000000001610000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Users\user\Desktop\Payment Advice 80642111.exe VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Users\user\Desktop\Payment Advice 80642111.exe VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
              Source: C:\Users\user\Desktop\Payment Advice 80642111.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

              Stealing of Sensitive Information:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Advice 80642111.exe PID: 6428, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 5480, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Advice 80642111.exe PID: 6508, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 804, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6228, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6992, type: MEMORY
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.2d4b12c.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.295b39c.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPE
              Yara detected MailPassViewShow sources
              Source: Yara matchFile source: 00000004.00000002.283236826.0000000003939000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.343283889.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.503465573.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Advice 80642111.exe PID: 6428, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 5480, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Advice 80642111.exe PID: 6508, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6876, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 804, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6228, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6992, type: MEMORY
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.45fa72.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.3939930.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.45fa72.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.3939930.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.3d29930.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.45fa72.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.3d29930.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPE
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Tries to steal Instant Messenger accounts or passwordsShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
              Yara detected WebBrowserPassView password recovery toolShow sources
              Source: Yara matchFile source: 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Advice 80642111.exe PID: 6428, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 5480, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Advice 80642111.exe PID: 6508, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 804, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6228, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6992, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6452, type: MEMORY
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.409c0d.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.409c0d.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.3d95e38.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.3d95e38.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.409c0d.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Detected HawkEye RatShow sources
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Source: Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
              Source: Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmpString found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
              Source: Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmpString found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_
              Source: Payment Advice 80642111.exe, 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: Payment Advice 80642111.exe, 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: Payment Advice 80642111.exe, 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: Payment Advice 80642111.exe, 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Source: WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Source: WindowsUpdate.exe, 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
              Source: WindowsUpdate.exe, 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmpString found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
              Source: WindowsUpdate.exe, 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmpString found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_
              Source: WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Source: WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Source: WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Advice 80642111.exe PID: 6428, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 5480, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Advice 80642111.exe PID: 6508, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 804, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6228, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6992, type: MEMORY
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.2d4b12c.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.295b39c.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Replication Through Removable Media1Windows Management Instrumentation21Registry Run Keys / Startup Folder1Process Injection312Disable or Modify Tools1OS Credential Dumping1Peripheral Device Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsNative API1Boot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Deobfuscate/Decode Files or Information1Input Capture11System Information Discovery15Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information31Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13Credentials In Files1Security Software Discovery131Distributed Component Object ModelInput Capture11Scheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsVirtualization/Sandbox Evasion4SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion4DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection312Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 357080 Sample: Payment Advice 80642111.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 11 other signatures 2->74 8 WindowsUpdate.exe 3 2->8         started        11 Payment Advice 80642111.exe 3 2->11         started        14 WindowsUpdate.exe 2->14         started        process3 file4 76 Multi AV Scanner detection for dropped file 8->76 78 Machine Learning detection for dropped file 8->78 16 WindowsUpdate.exe 4 8->16         started        48 C:\Users\...\Payment Advice 80642111.exe.log, ASCII 11->48 dropped 20 Payment Advice 80642111.exe 1 6 11->20         started        23 Payment Advice 80642111.exe 11->23         started        25 Payment Advice 80642111.exe 11->25         started        27 Payment Advice 80642111.exe 11->27         started        29 WindowsUpdate.exe 14->29         started        signatures5 process6 dnsIp7 50 smtp.vivaldi.net 31.209.137.12, 49726, 587 HRINGDU-ASIS Iceland 16->50 52 10.76.9.0.in-addr.arpa 16->52 60 Writes to foreign memory regions 16->60 62 Sample uses process hollowing technique 16->62 64 Injects a PE file into a foreign processes 16->64 31 vbc.exe 16->31         started        34 vbc.exe 16->34         started        54 192.168.2.1 unknown unknown 20->54 56 10.76.9.0.in-addr.arpa 20->56 44 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 20->44 dropped 46 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 20->46 dropped 66 Changes the view of files in windows explorer (hidden files and folders) 20->66 36 vbc.exe 20->36         started        38 vbc.exe 20->38         started        58 127.0.0.1 unknown unknown 29->58 file8 signatures9 process10 signatures11 80 Tries to steal Instant Messenger accounts or passwords 31->80 82 Tries to steal Mail credentials (via file access) 31->82 84 Tries to harvest and steal browser information (history, passwords, etc) 34->84 40 WerFault.exe 6 9 36->40         started        42 WerFault.exe 19 9 38->42         started        process12

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Payment Advice 80642111.exe61%VirustotalBrowse
              Payment Advice 80642111.exe24%MetadefenderBrowse
              Payment Advice 80642111.exe68%ReversingLabsByteCode-MSIL.Trojan.Wacatac
              Payment Advice 80642111.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\WindowsUpdate.exe24%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\WindowsUpdate.exe68%ReversingLabsByteCode-MSIL.Trojan.Wacatac

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              4.2.Payment Advice 80642111.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
              4.2.Payment Advice 80642111.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
              23.2.WindowsUpdate.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
              23.2.WindowsUpdate.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
              27.2.WindowsUpdate.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
              27.2.WindowsUpdate.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
              28.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
              4.2.Payment Advice 80642111.exe.296f4cc.5.unpack100%AviraTR/Inject.vcoldiDownload File

              Domains

              SourceDetectionScannerLabelLink
              10.76.9.0.in-addr.arpa0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://www.jiyu-kobo.co.jp/jp/?0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://crl.microsoft0%URL Reputationsafe
              http://crl.microsoft0%URL Reputationsafe
              http://crl.microsoft0%URL Reputationsafe
              http://crl.microsoft0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Ky0%Avira URL Cloudsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.founder.com.cn/cnF0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/yy0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/jp/gy0%Avira URL Cloudsafe
              http://www.fontbureau.coml10%URL Reputationsafe
              http://www.fontbureau.coml10%URL Reputationsafe
              http://www.fontbureau.coml10%URL Reputationsafe
              http://r3.i.lencr.org/00%URL Reputationsafe
              http://r3.i.lencr.org/00%URL Reputationsafe
              http://r3.i.lencr.org/00%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Jy0%Avira URL Cloudsafe
              http://www.founder.com.cn/cny0%Avira URL Cloudsafe
              http://www.founder.com.cn/cnicryz0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/-0%Avira URL Cloudsafe
              http://www.galapagosdesign.com/staff/dennis.htmh0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/gy0%Avira URL Cloudsafe
              http://r3.o.lencr.org00%URL Reputationsafe
              http://r3.o.lencr.org00%URL Reputationsafe
              http://r3.o.lencr.org00%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
              http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
              http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
              http://cps.letsencrypt.org00%URL Reputationsafe
              http://cps.letsencrypt.org00%URL Reputationsafe
              http://cps.letsencrypt.org00%URL Reputationsafe
              http://www.jiyu-kobo.co.jp//(0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.fontbureau.coma0%URL Reputationsafe
              http://www.fontbureau.coma0%URL Reputationsafe
              http://www.fontbureau.coma0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/?0%Avira URL Cloudsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://foo.com/foo0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Ty0%Avira URL Cloudsafe
              http://cps.root0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://crl.micro0%URL Reputationsafe
              http://crl.micro0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              smtp.vivaldi.net
              		31.209.137.12
              		truefalse
                		high
                10.76.9.0.in-addr.arpa
                		unknown
                		unknownfalseunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.jiyu-kobo.co.jp/jp/?Payment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designersGPayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                  		high
                  https://contextual.media.net/checksync.pvbc.exe, 0000001C.00000002.346657064.000000000061D000.00000004.00000020.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bThePayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://crl.microsoftWindowsUpdate.exe, 00000017.00000002.507254853.0000000007097000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.msn.com/de-ch/?ocid=iehpLMEMhvbc.exe, 0000001C.00000002.346625388.0000000000608000.00000004.00000020.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers?Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.jiyu-kobo.co.jp/KyPayment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designersYPayment Advice 80642111.exe, 00000004.00000003.240736289.0000000005B2E000.00000004.00000001.sdmpfalse
                            		high
                            http://www.tiro.comWindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersWindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krPayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnFPayment Advice 80642111.exe, 00000004.00000003.236653540.0000000005B1E000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/yyPayment Advice 80642111.exe, 00000004.00000003.237769137.0000000005AF4000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers/BPayment Advice 80642111.exe, 00000004.00000003.240153326.0000000005B2E000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/jp/gyPayment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designersNPayment Advice 80642111.exe, 00000004.00000003.242522578.0000000005B2E000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.coml1Payment Advice 80642111.exe, 00000004.00000002.287976818.0000000005AFB000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://r3.i.lencr.org/0WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comPayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDPayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/cThePayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmPayment Advice 80642111.exe, 00000004.00000003.243159760.0000000005B21000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comPayment Advice 80642111.exe, 00000004.00000003.235761615.0000000005AFD000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/8Payment Advice 80642111.exe, 00000004.00000003.237769137.0000000005AF4000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96evbc.exe, 0000001C.00000003.345554125.000000000092C000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/JyPayment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2vbc.exe, 0000001C.00000003.345554125.000000000092C000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cnyPayment Advice 80642111.exe, 00000004.00000003.237023942.0000000005AFC000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.founder.com.cn/cnicryzPayment Advice 80642111.exe, 00000004.00000003.237023942.0000000005AFC000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/-Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.msn.com/?ocid=iehpvbc.exe, 0000001C.00000002.346625388.0000000000608000.00000004.00000020.sdmpfalse
                                          		high
                                          http://www.galapagosdesign.com/staff/dennis.htmhPayment Advice 80642111.exe, 00000004.00000003.243159760.0000000005B21000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://whatismyipaddress.com/-Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designersbPayment Advice 80642111.exe, 00000004.00000003.242522578.0000000005B2E000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/gyPayment Advice 80642111.exe, 00000004.00000003.238336955.0000000005AF5000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://r3.o.lencr.org0WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/DPleasePayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designersxPayment Advice 80642111.exe, 00000004.00000003.242433196.0000000005B2E000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.ascendercorp.com/typedesigners.htmlPayment Advice 80642111.exe, 00000004.00000003.238762251.0000000005B2C000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fonts.comPayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krPayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.site.com/logs.phpPayment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://cvbc.exe, 0000001C.00000003.345554125.000000000092C000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.urwpp.deDPleasePayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.nirsoft.net/vbc.exe, 0000001D.00000002.343283889.0000000000400000.00000040.00000001.sdmpfalse
                                                        		high
                                                        http://www.zhongyicts.com.cnPayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&vbc.exe, 0000001C.00000003.345554125.000000000092C000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePayment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.327611606.00000000033F1000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.sakkal.comPayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://cps.root-x1.letsencrypt.org0WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.apache.org/licenses/LICENSE-2.0Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.fontbureau.comPayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://cps.letsencrypt.org0WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.jiyu-kobo.co.jp//(Payment Advice 80642111.exe, 00000004.00000003.237769137.0000000005AF4000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.jiyu-kobo.co.jp/jp/Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.comaPayment Advice 80642111.exe, 00000004.00000002.287976818.0000000005AFB000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.jiyu-kobo.co.jp/?Payment Advice 80642111.exe, 00000004.00000003.237769137.0000000005AF4000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.carterandcone.comlPayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://foo.com/fooWindowsUpdate.exe, 0000001B.00000002.327611606.00000000033F1000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/cabarga.htmlNPayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/zPayment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/TyPayment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://cps.rootWindowsUpdate.exe, 00000017.00000002.507092380.0000000007036000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.founder.com.cn/cnPayment Advice 80642111.exe, 00000004.00000003.236783840.0000000005B1E000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/frere-jones.htmlPayment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://crl.microWerFault.exe, 00000012.00000003.320829363.0000000000A33000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.founder.com.cn/cnt;Payment Advice 80642111.exe, 00000004.00000003.237023942.0000000005AFC000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.jiyu-kobo.co.jp/jp/TyPayment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.jiyu-kobo.co.jp/Payment Advice 80642111.exe, 00000004.00000003.237769137.0000000005AF4000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.tiro.comNPayment Advice 80642111.exe, 00000004.00000003.237013015.0000000005B1E000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.jiyu-kobo.co.jp/iPayment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers8Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.jiyu-kobo.co.jp/fr-cPayment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=(vbc.exe, 0000001C.00000002.346657064.000000000061D000.00000004.00000020.sdmpfalse
                                                                        		high
                                                                        https://login.microsoftonline.com/common/oauth2/TTvbc.exe, 0000001C.00000002.346657064.000000000061D000.00000004.00000020.sdmpfalse
                                                                          		high
                                                                          http://www.fontbureau.com/designers/frere-jones.html8GPayment Advice 80642111.exe, 00000004.00000003.241248337.0000000005B2E000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.fontbureau.com/designers/Payment Advice 80642111.exe, 00000004.00000003.240153326.0000000005B2E000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://r3.i.lencr.org/0fWindowsUpdate.exe, 00000017.00000002.507092380.0000000007036000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown

                                                                              Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              31.209.137.12
                                                                              		unknownIceland
                                                                              		51896HRINGDU-ASISfalse

                                                                              Private

                                                                              IP
                                                                              192.168.2.1
                                                                              127.0.0.1

                                                                              General Information

                                                                              Joe Sandbox Version:31.0.0 Emerald
                                                                              Analysis ID:357080
                                                                              Start date:24.02.2021
                                                                              Start time:07:26:13
                                                                              Joe Sandbox Product:CloudBasic
                                                                              Overall analysis duration:0h 14m 50s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:light
                                                                              Sample file name:Payment Advice 80642111.exe
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                              Number of analysed new started processes analysed:40
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • HDC enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Detection:MAL
                                                                              Classification:mal100.phis.troj.spyw.evad.winEXE@25/17@3/3
                                                                              EGA Information:Failed
                                                                              HDC Information:
                                                                              • Successful, ratio: 0% (good quality ratio 0%)
                                                                              • Quality average: 71%
                                                                              • Quality standard deviation: 0%
                                                                              HCA Information:
                                                                              • Successful, ratio: 100%
                                                                              • Number of executed functions: 0
                                                                              • Number of non-executed functions: 0
                                                                              Cookbook Comments:
                                                                              • Adjust boot time
                                                                              • Enable AMSI
                                                                              • Found application associated with file extension: .exe
                                                                              Warnings:
                                                                              Show All
                                                                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                              • Excluded IPs from analysis (whitelisted): 51.103.5.159, 13.64.90.137, 204.79.197.200, 13.107.21.200, 93.184.220.29, 51.104.144.132, 92.122.145.220, 104.43.193.48, 40.88.32.150, 23.218.208.56, 104.42.151.234, 52.255.188.83, 51.103.5.186, 8.253.95.249, 8.248.147.254, 8.253.95.121, 8.248.115.254, 8.248.145.254, 92.122.213.247, 92.122.213.194, 20.54.26.129
                                                                              • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, client.wns.windows.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net
                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              07:27:18API Interceptor4x Sleep call for process: Payment Advice 80642111.exe modified
                                                                              07:27:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                              07:27:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                              07:27:45API Interceptor2x Sleep call for process: WerFault.exe modified
                                                                              07:27:47API Interceptor37x Sleep call for process: WindowsUpdate.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              31.209.137.12Invoice from GQH CO.,LTD (683814).exeGet hashmaliciousBrowse
                                                                                EFECO SAUDI LLC -NEW OFFER #210218.exeGet hashmaliciousBrowse
                                                                                  invoice.jpg.scr.exeGet hashmaliciousBrowse
                                                                                    PO #047428.exeGet hashmaliciousBrowse
                                                                                      Scanned from PNB Sales Office Copier.pdf.exeGet hashmaliciousBrowse
                                                                                        NEW ORDER INQUIRY_B1020289.pdf.exeGet hashmaliciousBrowse
                                                                                          PO #047428.exeGet hashmaliciousBrowse
                                                                                            Quote JQ102474.pdf.exeGet hashmaliciousBrowse
                                                                                              Quotation Sheet and PO CARESCAPE R860 Ventilator.exeGet hashmaliciousBrowse
                                                                                                New Order.exeGet hashmaliciousBrowse
                                                                                                  air ventilation systems_temperature 20-25 #U00b0.exeGet hashmaliciousBrowse
                                                                                                    QUOTE B1020363.pdf.exeGet hashmaliciousBrowse
                                                                                                      ABB offer 02.5.2021.abb.pdf.exeGet hashmaliciousBrowse
                                                                                                        Archived.doc.exeGet hashmaliciousBrowse
                                                                                                          24906_technical_datas.exeGet hashmaliciousBrowse
                                                                                                            PO #047428.exeGet hashmaliciousBrowse
                                                                                                              SWIFT_876544.exeGet hashmaliciousBrowse
                                                                                                                MT103_001.exeGet hashmaliciousBrowse
                                                                                                                  MT103_001.exeGet hashmaliciousBrowse
                                                                                                                    NEW ORDER FROM AUTONOLOGY CO.,LIMITED_PO#7A68D20.pdf.exeGet hashmaliciousBrowse

                                                                                                                      Domains

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                      smtp.vivaldi.netInvoice from GQH CO.,LTD (683814).exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      EFECO SAUDI LLC -NEW OFFER #210218.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      invoice.jpg.scr.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      PO #047428.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      Scanned from PNB Sales Office Copier.pdf.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      NEW ORDER INQUIRY_B1020289.pdf.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      PO #047428.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      Quote JQ102474.pdf.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      Quotation Sheet and PO CARESCAPE R860 Ventilator.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      New Order.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      air ventilation systems_temperature 20-25 #U00b0.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      QUOTE B1020363.pdf.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      ABB offer 02.5.2021.abb.pdf.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      Archived.doc.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      24906_technical_datas.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      PO #047428.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      SWIFT_876544.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      MT103_001.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      MT103_001.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      NEW ORDER FROM AUTONOLOGY CO.,LIMITED_PO#7A68D20.pdf.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12

                                                                                                                      ASN

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                      HRINGDU-ASISInvoice from GQH CO.,LTD (683814).exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      EFECO SAUDI LLC -NEW OFFER #210218.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      invoice.jpg.scr.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      PO #047428.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      Scanned from PNB Sales Office Copier.pdf.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      NEW ORDER INQUIRY_B1020289.pdf.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      PO #047428.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      Quote JQ102474.pdf.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      Quotation Sheet and PO CARESCAPE R860 Ventilator.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      New Order.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      air ventilation systems_temperature 20-25 #U00b0.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      QUOTE B1020363.pdf.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      ABB offer 02.5.2021.abb.pdf.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      Archived.doc.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      24906_technical_datas.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      PO #047428.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      SWIFT_876544.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      MT103_001.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      MT103_001.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12
                                                                                                                      NEW ORDER FROM AUTONOLOGY CO.,LIMITED_PO#7A68D20.pdf.exeGet hashmaliciousBrowse
                                                                                                                      • 31.209.137.12

                                                                                                                      JA3 Fingerprints

                                                                                                                      No context

                                                                                                                      Dropped Files

                                                                                                                      No context

                                                                                                                      Created / dropped Files

                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_vbc.exe_f089e1f5158893287601d79f3806df6ebd7720_6c16ead4_0084324c\Report.wer
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):7826
                                                                                                                      Entropy (8bit):3.7667017788295856
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:QCLqKDI0HJdmhf9jY/u7s7S274ItE7GDBF:TpD7JdmTjY/u7s7X4ItEOj
                                                                                                                      MD5:FEA8FB37352748ABF52EEDDC1BAFD3AF
                                                                                                                      SHA1:C0EB23FC2D3C423475CA4EBF40BB97ED85746274
                                                                                                                      SHA-256:EB5EC84A3956D61FCA0FAFB9D3FB01251B7B3F60FB2AAE8739702C1E90505FD5
                                                                                                                      SHA-512:14434C176FA25372FAD0B15EC14F0B7F5C8C4350320EFC39ACD71F29647C698C5559B5A3FD1D3A7D5DB15EBCA1E0C6AA04CAE19A206917A6BD09075BF3F2F838
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.6.5.4.0.4.9.7.5.1.0.4.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.6.5.4.0.6.5.6.4.1.6.5.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.3.4.5.3.a.9.-.0.8.b.5.-.4.a.3.b.-.b.f.d.9.-.e.8.b.e.6.c.a.6.2.4.e.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.6.d.7.5.a.5.-.9.3.f.e.-.4.8.4.e.-.8.8.0.2.-.7.6.7.b.2.4.9.0.4.9.5.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.b.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.b.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.d.4.-.0.0.0.1.-.0.0.1.6.-.9.c.f.a.-.7.8.8.c.c.1.0.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.7.8.7.d.9.a.6.e.c.3.f.2.6.2.e.8.b.7.1.d.1.9.a.c.1.5.7.c.2.a.2.8.6.a.0.f.5.9.d.d.!.v.b.c.
                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_vbc.exe_f0f7e6794544275e818a7614df8b65417782bd48_966227d3_0cdc2ada\Report.wer
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):7824
                                                                                                                      Entropy (8bit):3.767791835512396
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:/d8VKUi2ymHBUZMXQf9jY/u7s7S274ItE7GDC:60Ui2TBUZMXojY/u7s7X4ItEOC
                                                                                                                      MD5:16669F3D89747BE390D6EB5D1DCD21A5
                                                                                                                      SHA1:91E77D1EB35104257E95B90952AD763E8653AF8F
                                                                                                                      SHA-256:D9483646A43227D7D53CD46C17E667B34D3CEA36021FE51E6F2A3E6AF6EAEFC6
                                                                                                                      SHA-512:E0BA77550BFDB1366453ACDD7C5E97923F50332C3610897E7FADD9517E32AE67319EFFD7143D188317CA5D19D9B312B5369F6F0171A8BAEE3B96748C190029C5
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.6.5.4.0.4.9.1.3.9.2.6.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.6.5.4.0.6.3.0.9.4.7.7.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.0.c.8.1.e.4.7.-.5.e.1.b.-.4.9.3.4.-.8.c.c.5.-.8.c.3.c.1.b.1.d.4.9.7.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.2.4.9.4.e.3.-.2.5.d.c.-.4.4.5.7.-.b.e.5.3.-.d.9.f.0.3.d.6.e.3.7.d.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.b.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.b.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.c.c.-.0.0.0.1.-.0.0.1.6.-.2.b.c.a.-.7.8.8.c.c.1.0.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.7.8.7.d.9.a.6.e.c.3.f.2.6.2.e.8.b.7.1.d.1.9.a.c.1.5.7.c.2.a.2.8.6.a.0.f.5.9.d.d.!.v.b.c.
                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9CA.tmp.dmp
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Wed Feb 24 15:27:29 2021, 0x1205a4 type
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):17690
                                                                                                                      Entropy (8bit):2.246227175268669
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:5Sw6l8Q/sJy8jAxSmXAwO39BYbQ5ih1UnWInWIXmI4uH2C:4s48ExlA3tBeY01JuH2C
                                                                                                                      MD5:AD181CBD689B1087A79DB8BC0A0F4AC7
                                                                                                                      SHA1:2C57406A19B726584396FD393ADE18627E64103D
                                                                                                                      SHA-256:EB57A20CEAACD4E1C804C7405D9F6B635F127E34DE5539E53B2BBBCCEB2FE80A
                                                                                                                      SHA-512:C3DC62A49FECB327E85E71D1339182499E44DF723D9F4CDDB93C22E9EAB939066266E7D4902F8B3E2342509000C21FC4EF967745D9CF2E7992CFADA2126BDE14
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview: MDMP....... .......ap6`...................U...........B......t.......GenuineIntelW...........T...........[p6`.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC2B.tmp.dmp
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Wed Feb 24 15:27:30 2021, 0x1205a4 type
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):17690
                                                                                                                      Entropy (8bit):2.252376513132558
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:5wu1l8Q//ZpDDmXADJF+28J+fDHa2ihGWHWInWIXmI4zH1T:jxpDiAtFKJ+rL0HazH1T
                                                                                                                      MD5:2D63378C69ADE33028F915A90B9C547B
                                                                                                                      SHA1:89747F12FAFA86497032CC6569A4DB7E0C6EA0D7
                                                                                                                      SHA-256:01DF1492A1F149CB981962B6843B78FBF720A6FA26A21EBBD12A4B4AB1F0F549
                                                                                                                      SHA-512:276207F97628E9D3969E04EC186D69098044A2668AFEAB514D8B1EAA5AECE5C67AB7824DF88BCDC810A8DF1CA953115D6B6DD5F40586EFA15F12D4B01E3AEFD6
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview: MDMP....... .......bp6`...................U...........B......t.......GenuineIntelW...........T...........[p6`.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC5B.tmp.WERInternalMetadata.xml
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):8316
                                                                                                                      Entropy (8bit):3.7035939481039297
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:Rrl7r3GLNivV6CM6YFb6Regmf5sSU3CprT89bQ4qsf4WOm:RrlsNi96x6YJ6Igmf+SUrQ4JfNX
                                                                                                                      MD5:11BC68309D5AC81A44B22BD76CCCCC63
                                                                                                                      SHA1:6B55392DF74BA0C762ED683DAEFDD2E3BD9B9E1B
                                                                                                                      SHA-256:110383C38453AF1AB3863AE63F30103C8F66F59991F1A2E5F434FA4F5FFAE56E
                                                                                                                      SHA-512:EB29F9F17FE35C3593BA559FE895F310CBE0C43DDD7D0C3629E4F0C89942B812DC35FD22724C1ECA506CD9407BE753700822E9EA580918CE3BC5C9F14BA52329
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.1.6.<./.P.i.d.>.......
                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFD7.tmp.xml
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):4643
                                                                                                                      Entropy (8bit):4.480879266928618
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:cvIwSD8zskJgtWI9r7WSC8BZ8fm8M4JzzZFG+q8jDYUlu5nNd:uITfiMKSNcJfSQHlu5nNd
                                                                                                                      MD5:1B69D72770E23517194A87BAA694BA9E
                                                                                                                      SHA1:179817EB40A5DEDBED8E767FF0FEF8E505193DAF
                                                                                                                      SHA-256:25BE65318011103BD94ACA3A259E96BDD0F193A77A10584CA24DBE5390F24907
                                                                                                                      SHA-512:8DC11825F2EA89CBB15FF25B3EF1866E6C898961D035079A37C1EFC6FBA71B9154A43C43CB1150E5393239DAFE60FB94A3E48AF9DB8C74124848E9894E30E259
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="875558" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFE5.tmp.WERInternalMetadata.xml
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):8320
                                                                                                                      Entropy (8bit):3.701478060799241
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:Rrl7r3GLNiGs6UvO6YF66Ogmf5CSY3Cprn89bQBasfSWRm:RrlsNit6N6YI6OgmfYSY3QB5fDs
                                                                                                                      MD5:0F036666EAA82EFDC5BBE33C7F762561
                                                                                                                      SHA1:E6FD8507D1FB425C6B66F03673A2157750FA1FB9
                                                                                                                      SHA-256:0716AF1B62E45B1FED8E9A94D267EFE001091650353A6A806E270E00260D2F95
                                                                                                                      SHA-512:64BEF5F5A3889B242ACA6FAAF86274734DF236C382151DEDD1958C9CED41FC2AE1551D7DA73F7D86FCF30F4C381E0D31FFA03E84C64618A6568A1ED60E2C6F90
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.2.4.<./.P.i.d.>.......
                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF67E.tmp.xml
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):4643
                                                                                                                      Entropy (8bit):4.4848666356737485
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:cvIwSD8zskJgtWI9r7WSC8Bo8fm8M4JlRZF1I+q8vDxUlMScd:uITfiMKSN3JfK4alTcd
                                                                                                                      MD5:D31A275CA1BE98D708626854C30B9D65
                                                                                                                      SHA1:31172763FF260582AAE1AC57F7EB1E1A02E3232E
                                                                                                                      SHA-256:78BAB11A900AB9394678E8892B9E501E871A93EFE18DB3AB4CBADCD791E997CE
                                                                                                                      SHA-512:1AF3D829E1CB46D27EB7215FEBA25F658498B0DB7E03223EA5A6944C8D273FFB2903E9C2A9922FA89D94F34D8BB22EE41B2103E36635B7FA3F7F8F1C495601D5
                                                                                                                      Malicious:false
                                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="875558" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Advice 80642111.exe.log
                                                                                                                      Process:C:\Users\user\Desktop\Payment Advice 80642111.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):706
                                                                                                                      Entropy (8bit):5.342604339328228
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:Q3La/hhkvoDLI4MWuCq1KDLI4M9tDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKm:MLUE4Kx1qE4qpE4Ks2wKDE4KhK3VZ9px
                                                                                                                      MD5:34580C7C598E15B8A008C82FE6A07CDF
                                                                                                                      SHA1:2C90E9B7F4AFFE8FC7F9C313B4B867DF5B96CAC1
                                                                                                                      SHA-256:08246B9BE1C37F8977CE083319A9D34BE09C65B926CBA30A5E062D79D5A4F1D6
                                                                                                                      SHA-512:D836A862804608C3A127BF0CD30ECFB428E682D5E73D90C4C2837F93F02F12307F242F47F3CBBD71249AA6E608AFE230527F2F7D306A35A681346F9DDFE9D820
                                                                                                                      Malicious:true
                                                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WindowsUpdate.exe.log
                                                                                                                      Process:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):706
                                                                                                                      Entropy (8bit):5.342604339328228
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:Q3La/hhkvoDLI4MWuCq1KDLI4M9tDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKm:MLUE4Kx1qE4qpE4Ks2wKDE4KhK3VZ9px
                                                                                                                      MD5:34580C7C598E15B8A008C82FE6A07CDF
                                                                                                                      SHA1:2C90E9B7F4AFFE8FC7F9C313B4B867DF5B96CAC1
                                                                                                                      SHA-256:08246B9BE1C37F8977CE083319A9D34BE09C65B926CBA30A5E062D79D5A4F1D6
                                                                                                                      SHA-512:D836A862804608C3A127BF0CD30ECFB428E682D5E73D90C4C2837F93F02F12307F242F47F3CBBD71249AA6E608AFE230527F2F7D306A35A681346F9DDFE9D820
                                                                                                                      Malicious:false
                                                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                                      C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):2
                                                                                                                      Entropy (8bit):1.0
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Qn:Qn
                                                                                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                      Malicious:false
                                                                                                                      Preview: ..
                                                                                                                      C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                      Process:C:\Users\user\Desktop\Payment Advice 80642111.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):744448
                                                                                                                      Entropy (8bit):7.991542962307303
                                                                                                                      Encrypted:true
                                                                                                                      SSDEEP:12288:xR/SQVieUU3JGNECPXYjy7cBwUpyRsMd1B4w4wpHr+26W5mc5ubo7qkdUmTAZnrh:xR/SQVi7U3JGNfPIjLqUp7Md7ZHpR53r
                                                                                                                      MD5:85BD30D4211B1DFF2FE6847502341831
                                                                                                                      SHA1:74FDF25BEF9F31E311B21D8CA572F834D03134C0
                                                                                                                      SHA-256:6F2AF9503A84BF2C99E0BBF735B953A7551F7FF78F87C9AD84E8AFF091F2AE10
                                                                                                                      SHA-512:EBB2DB3BF9315BFD4B307E587DA544471512E56CC6B3414E6BCD4F48E65C1D27C3AEBD16AC016794E9A540D11A7B1ADBB233B4D4C0267E901FD0BAAC9341FC4E
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      • Antivirus: Metadefender, Detection: 24%, Browse
                                                                                                                      • Antivirus: ReversingLabs, Detection: 68%
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!(b...............0..R...........p... ........@.. ....................................@..................................p..O.................................................................................... ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B.................p......H........Q..........5...$...."..........................................".(.....*.(.........*~.|....(....-..|....(.......+..*..(....-.~ ...+..|....(.....|....(....s!...*..(....-.~ ...+..|....(.....|....(....s!...*..(....-..+..|....(.....|....(....Y*..|....(.....|....(.....(.....(....s"...*z.~ ...}.....~ ...}.....(.....*..{....~....Y.{....~....Y~....~....s"...*r....(....}.......(....}....*..{....*z.{.... .......{.... ......+..*...}..... ....}..... ....}.....(.....*N......~....
                                                                                                                      C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier
                                                                                                                      Process:C:\Users\user\Desktop\Payment Advice 80642111.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:modified
                                                                                                                      Size (bytes):26
                                                                                                                      Entropy (8bit):3.95006375643621
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                      Malicious:true
                                                                                                                      Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                      C:\Users\user\AppData\Roaming\pid.txt
                                                                                                                      Process:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):4
                                                                                                                      Entropy (8bit):1.5
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:xn:x
                                                                                                                      MD5:F4E3CE3E7B581FF32E40968298BA013D
                                                                                                                      SHA1:69E771474BA5705EB63F0E6A4FA885755279549E
                                                                                                                      SHA-256:5B328CF43D53A589FE546B2D4E2D18E962693C58A78FD1E0AA6EB05501DBD81F
                                                                                                                      SHA-512:30260997A27DDCBD88B5EA5F72FDA94E10A4FD883C8E11B274E940A3065E2FA997B7A4C28BE3A41B665841B987459B61FC2370EFB5243DFA76AC9B729916267A
                                                                                                                      Malicious:false
                                                                                                                      Preview: 6228
                                                                                                                      C:\Users\user\AppData\Roaming\pidloc.txt
                                                                                                                      Process:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):49
                                                                                                                      Entropy (8bit):4.359935487883289
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:oNUkh4EaKC59KuCa:oN9aZ5v
                                                                                                                      MD5:12D2EDA11A3448999A0FE3B16E86A9DC
                                                                                                                      SHA1:BA191B82B2B86F0DCE06844378C6E9FEC1228C6F
                                                                                                                      SHA-256:43F3713FB66C95CA2EF5D61548FC11BB1BFC86F9BC32F4BD3DB65B9A827F395B
                                                                                                                      SHA-512:56EACBC7996ECD60F0688732D8084BB1B2EE7F74CC796A1AC97EA08FE97FA227FAC7DC7EB17F0CF3E0DE31D10C3BF35FC19F002AECC78F22267B5F0058519C44
                                                                                                                      Malicious:false
                                                                                                                      Preview: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Entropy (8bit):7.991542962307303
                                                                                                                      TrID:
                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                                      File name:Payment Advice 80642111.exe
                                                                                                                      File size:744448
                                                                                                                      MD5:85bd30d4211b1dff2fe6847502341831
                                                                                                                      SHA1:74fdf25bef9f31e311b21d8ca572f834d03134c0
                                                                                                                      SHA256:6f2af9503a84bf2c99e0bbf735b953a7551f7ff78f87c9ad84e8aff091f2ae10
                                                                                                                      SHA512:ebb2db3bf9315bfd4b307e587da544471512e56cc6b3414e6bcd4f48e65c1d27c3aebd16ac016794e9a540d11a7b1adbb233b4d4c0267e901fd0baac9341fc4e
                                                                                                                      SSDEEP:12288:xR/SQVieUU3JGNECPXYjy7cBwUpyRsMd1B4w4wpHr+26W5mc5ubo7qkdUmTAZnrh:xR/SQVi7U3JGNfPIjLqUp7Md7ZHpR53r
                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!(b...............0..R...........p... ........@.. ....................................@................................

                                                                                                                      File Icon

                                                                                                                      Icon Hash:00828e8e8686b000

                                                                                                                      Static PE Info

                                                                                                                      General

                                                                                                                      Entrypoint:0x4b70de
                                                                                                                      Entrypoint Section:.text
                                                                                                                      Digitally signed:false
                                                                                                                      Imagebase:0x400000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                      Time Stamp:0xA4622821 [Thu May 24 02:17:05 2057 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:v4.0.30319
                                                                                                                      OS Version Major:4
                                                                                                                      OS Version Minor:0
                                                                                                                      File Version Major:4
                                                                                                                      File Version Minor:0
                                                                                                                      Subsystem Version Major:4
                                                                                                                      Subsystem Version Minor:0
                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                      Entrypoint Preview

                                                                                                                      Instruction
                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al

                                                                                                                      Data Directories

                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb708c0x4f.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x5d6.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                      Sections

                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      .text0x20000xb50e40xb5200False0.943829796411data7.9941732776IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                      .rsrc0xb80000x5d60x600False0.418619791667data4.12696293065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .reloc0xba0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                      Resources

                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                      RT_VERSION0xb80a00x34cdata
                                                                                                                      RT_MANIFEST0xb83ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                      Imports

                                                                                                                      DLLImport
                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                      Version Infos

                                                                                                                      DescriptionData
                                                                                                                      Translation0x0000 0x04b0
                                                                                                                      LegalCopyrightCopyright 2020
                                                                                                                      Assembly Version1.0.0.0
                                                                                                                      InternalNameScreenCapturer.exe
                                                                                                                      FileVersion1.0.0.0
                                                                                                                      CompanyName
                                                                                                                      LegalTrademarks
                                                                                                                      Comments
                                                                                                                      ProductNameScreenCapturer
                                                                                                                      ProductVersion1.0.0.0
                                                                                                                      FileDescriptionScreenCapturer
                                                                                                                      OriginalFilenameScreenCapturer.exe

                                                                                                                      Network Behavior

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Feb 24, 2021 07:28:05.155992031 CET49726587192.168.2.531.209.137.12
                                                                                                                      Feb 24, 2021 07:28:05.244574070 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:05.244694948 CET49726587192.168.2.531.209.137.12
                                                                                                                      Feb 24, 2021 07:28:05.692012072 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:05.695194960 CET49726587192.168.2.531.209.137.12
                                                                                                                      Feb 24, 2021 07:28:05.783704996 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:05.783732891 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:05.784580946 CET49726587192.168.2.531.209.137.12
                                                                                                                      Feb 24, 2021 07:28:05.873239040 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:05.918263912 CET49726587192.168.2.531.209.137.12
                                                                                                                      Feb 24, 2021 07:28:05.977410078 CET49726587192.168.2.531.209.137.12
                                                                                                                      Feb 24, 2021 07:28:06.069293022 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:06.069333076 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:06.069355011 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:06.069454908 CET49726587192.168.2.531.209.137.12
                                                                                                                      Feb 24, 2021 07:28:06.078835964 CET49726587192.168.2.531.209.137.12
                                                                                                                      Feb 24, 2021 07:28:06.166965008 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:06.215189934 CET49726587192.168.2.531.209.137.12
                                                                                                                      Feb 24, 2021 07:28:06.229089022 CET49726587192.168.2.531.209.137.12
                                                                                                                      Feb 24, 2021 07:28:06.317192078 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:06.318304062 CET49726587192.168.2.531.209.137.12
                                                                                                                      Feb 24, 2021 07:28:06.406965017 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:06.408186913 CET49726587192.168.2.531.209.137.12
                                                                                                                      Feb 24, 2021 07:28:06.538579941 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:08.504204035 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:08.504808903 CET49726587192.168.2.531.209.137.12
                                                                                                                      Feb 24, 2021 07:28:08.592305899 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:08.593302011 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:08.596236944 CET49726587192.168.2.531.209.137.12
                                                                                                                      Feb 24, 2021 07:28:08.686605930 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:08.716736078 CET49726587192.168.2.531.209.137.12
                                                                                                                      Feb 24, 2021 07:28:08.805481911 CET5874972631.209.137.12192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:08.805589914 CET49726587192.168.2.531.209.137.12

                                                                                                                      UDP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Feb 24, 2021 07:26:53.098968029 CET5270453192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:26:53.149944067 CET5221253192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:26:53.159224033 CET53527048.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:26:53.201551914 CET53522128.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:26:53.776766062 CET5430253192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:26:53.825568914 CET53543028.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:26:53.974134922 CET5378453192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:26:54.033963919 CET53537848.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:26:54.239633083 CET6530753192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:26:54.293395996 CET53653078.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:26:54.350033045 CET6434453192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:26:54.399267912 CET53643448.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:26:54.809977055 CET6206053192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:26:54.859361887 CET53620608.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:26:55.995503902 CET6180553192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:26:56.044677973 CET53618058.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:26:57.045861006 CET5479553192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:26:57.104499102 CET53547958.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:26:57.207887888 CET4955753192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:26:57.257030010 CET53495578.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:26:58.520972013 CET6173353192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:26:58.571281910 CET53617338.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:26:59.516694069 CET6544753192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:26:59.576988935 CET53654478.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:27:00.802773952 CET5244153192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:27:00.851752043 CET53524418.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:27:01.999958992 CET6217653192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:27:02.048999071 CET53621768.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:27:03.588164091 CET5959653192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:27:03.640224934 CET53595968.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:27:05.481010914 CET6529653192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:27:05.532744884 CET53652968.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:27:06.920413017 CET6318353192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:27:06.969310999 CET53631838.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:27:08.115135908 CET6015153192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:27:08.166940928 CET53601518.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:27:16.313922882 CET5696953192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:27:16.374413013 CET53569698.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:27:23.339302063 CET5516153192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:27:23.401890039 CET53551618.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:27:40.123382092 CET5475753192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:27:40.176876068 CET53547578.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:27:43.666390896 CET4999253192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:27:43.724270105 CET53499928.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:27:44.313889027 CET6007553192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:27:44.365324974 CET53600758.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:27:46.629843950 CET5501653192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:27:46.678950071 CET53550168.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:27:49.008070946 CET6434553192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:27:49.068207026 CET53643458.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:27:49.250905991 CET5712853192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:27:49.299901962 CET53571288.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:05.034975052 CET5479153192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:28:05.099201918 CET53547918.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:28:09.248765945 CET5046353192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:28:09.313528061 CET53504638.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:29:01.234761000 CET5039453192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:29:01.283891916 CET53503948.8.8.8192.168.2.5
                                                                                                                      Feb 24, 2021 07:29:01.734401941 CET5853053192.168.2.58.8.8.8
                                                                                                                      Feb 24, 2021 07:29:01.806427002 CET53585308.8.8.8192.168.2.5

                                                                                                                      DNS Queries

                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                      Feb 24, 2021 07:27:16.313922882 CET192.168.2.58.8.8.80xbe82Standard query (0)10.76.9.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                                      Feb 24, 2021 07:27:43.666390896 CET192.168.2.58.8.8.80xdc7bStandard query (0)10.76.9.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                                      Feb 24, 2021 07:28:05.034975052 CET192.168.2.58.8.8.80x9d34Standard query (0)smtp.vivaldi.netA (IP address)IN (0x0001)

                                                                                                                      DNS Answers

                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                      Feb 24, 2021 07:27:16.374413013 CET8.8.8.8192.168.2.50xbe82Name error (3)10.76.9.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                                      Feb 24, 2021 07:27:43.724270105 CET8.8.8.8192.168.2.50xdc7bName error (3)10.76.9.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                                      Feb 24, 2021 07:28:05.099201918 CET8.8.8.8192.168.2.50x9d34No error (0)smtp.vivaldi.net31.209.137.12A (IP address)IN (0x0001)

                                                                                                                      SMTP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                      Feb 24, 2021 07:28:05.692012072 CET5874972631.209.137.12192.168.2.5220 smtp.vivaldi.net ESMTP Postfix (Ubuntu)
                                                                                                                      Feb 24, 2021 07:28:05.695194960 CET49726587192.168.2.531.209.137.12EHLO 609290
                                                                                                                      Feb 24, 2021 07:28:05.783732891 CET5874972631.209.137.12192.168.2.5250-smtp.vivaldi.net
                                                                                                                      250-PIPELINING
                                                                                                                      250-SIZE 36700160
                                                                                                                      250-ETRN
                                                                                                                      250-STARTTLS
                                                                                                                      250-ENHANCEDSTATUSCODES
                                                                                                                      250-8BITMIME
                                                                                                                      250-DSN
                                                                                                                      250 SMTPUTF8
                                                                                                                      Feb 24, 2021 07:28:05.784580946 CET49726587192.168.2.531.209.137.12STARTTLS
                                                                                                                      Feb 24, 2021 07:28:05.873239040 CET5874972631.209.137.12192.168.2.5220 2.0.0 Ready to start TLS

                                                                                                                      Code Manipulations

                                                                                                                      Statistics

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      Analysis Process: Payment Advice 80642111.exe PID: 6428 Parent PID: 5748

                                                                                                                      General

                                                                                                                      Start time:07:27:01
                                                                                                                      Start date:24/02/2021
                                                                                                                      Path:C:\Users\user\Desktop\Payment Advice 80642111.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:'C:\Users\user\Desktop\Payment Advice 80642111.exe'
                                                                                                                      Imagebase:0x6d0000
                                                                                                                      File size:744448 bytes
                                                                                                                      MD5 hash:85BD30D4211B1DFF2FE6847502341831
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Yara matches:
                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                      • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                      • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.235200966.00000000050F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: Payment Advice 80642111.exe PID: 6464 Parent PID: 6428

                                                                                                                      General

                                                                                                                      Start time:07:27:03
                                                                                                                      Start date:24/02/2021
                                                                                                                      Path:C:\Users\user\Desktop\Payment Advice 80642111.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Users\user\Desktop\Payment Advice 80642111.exe
                                                                                                                      Imagebase:0x1d0000
                                                                                                                      File size:744448 bytes
                                                                                                                      MD5 hash:85BD30D4211B1DFF2FE6847502341831
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: Payment Advice 80642111.exe PID: 6488 Parent PID: 6428

                                                                                                                      General

                                                                                                                      Start time:07:27:03
                                                                                                                      Start date:24/02/2021
                                                                                                                      Path:C:\Users\user\Desktop\Payment Advice 80642111.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Users\user\Desktop\Payment Advice 80642111.exe
                                                                                                                      Imagebase:0x2b0000
                                                                                                                      File size:744448 bytes
                                                                                                                      MD5 hash:85BD30D4211B1DFF2FE6847502341831
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: Payment Advice 80642111.exe PID: 6496 Parent PID: 6428

                                                                                                                      General

                                                                                                                      Start time:07:27:04
                                                                                                                      Start date:24/02/2021
                                                                                                                      Path:C:\Users\user\Desktop\Payment Advice 80642111.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Users\user\Desktop\Payment Advice 80642111.exe
                                                                                                                      Imagebase:0x1d0000
                                                                                                                      File size:744448 bytes
                                                                                                                      MD5 hash:85BD30D4211B1DFF2FE6847502341831
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: Payment Advice 80642111.exe PID: 6508 Parent PID: 6428

                                                                                                                      General

                                                                                                                      Start time:07:27:04
                                                                                                                      Start date:24/02/2021
                                                                                                                      Path:C:\Users\user\Desktop\Payment Advice 80642111.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\Desktop\Payment Advice 80642111.exe
                                                                                                                      Imagebase:0x5c0000
                                                                                                                      File size:744448 bytes
                                                                                                                      MD5 hash:85BD30D4211B1DFF2FE6847502341831
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000004.00000002.293943590.0000000008500000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000004.00000002.294011237.0000000008650000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000004.00000002.283236826.0000000003939000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: vbc.exe PID: 7116 Parent PID: 6508

                                                                                                                      General

                                                                                                                      Start time:07:27:23
                                                                                                                      Start date:24/02/2021
                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:1171592 bytes
                                                                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: vbc.exe PID: 7124 Parent PID: 6508

                                                                                                                      General

                                                                                                                      Start time:07:27:23
                                                                                                                      Start date:24/02/2021
                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:1171592 bytes
                                                                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: WerFault.exe PID: 3220 Parent PID: 7116

                                                                                                                      General

                                                                                                                      Start time:07:27:25
                                                                                                                      Start date:24/02/2021
                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 176
                                                                                                                      Imagebase:0xcd0000
                                                                                                                      File size:434592 bytes
                                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: WerFault.exe PID: 204 Parent PID: 7124

                                                                                                                      General

                                                                                                                      Start time:07:27:26
                                                                                                                      Start date:24/02/2021
                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 176
                                                                                                                      Imagebase:0xcd0000
                                                                                                                      File size:434592 bytes
                                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: WindowsUpdate.exe PID: 5480 Parent PID: 3472

                                                                                                                      General

                                                                                                                      Start time:07:27:30
                                                                                                                      Start date:24/02/2021
                                                                                                                      Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                                                                                                                      Imagebase:0x350000
                                                                                                                      File size:744448 bytes
                                                                                                                      MD5 hash:85BD30D4211B1DFF2FE6847502341831
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000015.00000002.309460071.0000000004DF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                      • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                      • Detection: 24%, Metadefender, Browse
                                                                                                                      • Detection: 68%, ReversingLabs
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: WindowsUpdate.exe PID: 6228 Parent PID: 5480

                                                                                                                      General

                                                                                                                      Start time:07:27:33
                                                                                                                      Start date:24/02/2021
                                                                                                                      Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                      Imagebase:0x6e0000
                                                                                                                      File size:744448 bytes
                                                                                                                      MD5 hash:85BD30D4211B1DFF2FE6847502341831
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Yara matches:
                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000017.00000002.507838378.0000000007CD0000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000017.00000002.507820706.0000000007CC0000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000017.00000002.503465573.0000000003D21000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: WindowsUpdate.exe PID: 804 Parent PID: 3472

                                                                                                                      General

                                                                                                                      Start time:07:27:38
                                                                                                                      Start date:24/02/2021
                                                                                                                      Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                                                                                                                      Imagebase:0xaf0000
                                                                                                                      File size:744448 bytes
                                                                                                                      MD5 hash:85BD30D4211B1DFF2FE6847502341831
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 0000001A.00000002.327982502.0000000005620000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                      • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: WindowsUpdate.exe PID: 6992 Parent PID: 804

                                                                                                                      General

                                                                                                                      Start time:07:27:42
                                                                                                                      Start date:24/02/2021
                                                                                                                      Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                      Imagebase:0xfb0000
                                                                                                                      File size:744448 bytes
                                                                                                                      MD5 hash:85BD30D4211B1DFF2FE6847502341831
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Yara matches:
                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: vbc.exe PID: 6452 Parent PID: 6228

                                                                                                                      General

                                                                                                                      Start time:07:27:53
                                                                                                                      Start date:24/02/2021
                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:1171592 bytes
                                                                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: vbc.exe PID: 6876 Parent PID: 6228

                                                                                                                      General

                                                                                                                      Start time:07:27:53
                                                                                                                      Start date:24/02/2021
                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:1171592 bytes
                                                                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.343283889.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      Reputation:high

                                                                                                                      Disassembly

                                                                                                                      Code Analysis

                                                                                                                      Reset < >