Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Costa Order.exe

Overview

General Information

Sample Name:Costa Order.exe
Analysis ID:453873
MD5:bc4e444c2dd7463dc563119593bc7764
SHA1:d54092772dd1d8ca8b20b84f44e0931d089d79d7
SHA256:fd95b0eb1d2a5650592de694cda956d9dcf0b1c3312fcb3273571f858762ae15
Tags:exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Launches processes in debugging mode, may be used to hinder debugging
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Costa Order.exe (PID: 4788 cmdline: 'C:\Users\user\Desktop\Costa Order.exe' MD5: BC4E444C2DD7463DC563119593BC7764)
    • Costa Order.exe (PID: 5540 cmdline: {path} MD5: BC4E444C2DD7463DC563119593BC7764)
    • Costa Order.exe (PID: 5640 cmdline: {path} MD5: BC4E444C2DD7463DC563119593BC7764)
      • Windows Update.exe (PID: 1328 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: BC4E444C2DD7463DC563119593BC7764)
        • Windows Update.exe (PID: 4848 cmdline: {path} MD5: BC4E444C2DD7463DC563119593BC7764)
          • vbc.exe (PID: 3880 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • vbc.exe (PID: 1036 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • WerFault.exe (PID: 5172 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
          • WerFault.exe (PID: 5324 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 2992 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: BC4E444C2DD7463DC563119593BC7764)
  • WindowsUpdate.exe (PID: 5432 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: BC4E444C2DD7463DC563119593BC7764)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b6f2:$key: HawkEyeKeylogger
  • 0x7d954:$salt: 099u787978786
  • 0x7bd33:$string1: HawkEye_Keylogger
  • 0x7cb86:$string1: HawkEye_Keylogger
  • 0x7d8b4:$string1: HawkEye_Keylogger
  • 0x7c11c:$string2: holdermail.txt
  • 0x7c13c:$string2: holdermail.txt
  • 0x7c05e:$string3: wallet.dat
  • 0x7c076:$string3: wallet.dat
  • 0x7c08c:$string3: wallet.dat
  • 0x7d478:$string4: Keylog Records
  • 0x7d790:$string4: Keylog Records
  • 0x7d9ac:$string5: do not script -->
  • 0x7b6da:$string6: \pidloc.txt
  • 0x7b768:$string7: BSPLIT
  • 0x7b778:$string7: BSPLIT
0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bd8b:$hawkstr1: HawkEye Keylogger
        • 0x7cbcc:$hawkstr1: HawkEye Keylogger
        • 0x7cefb:$hawkstr1: HawkEye Keylogger
        • 0x7d056:$hawkstr1: HawkEye Keylogger
        • 0x7d1b9:$hawkstr1: HawkEye Keylogger
        • 0x7d450:$hawkstr1: HawkEye Keylogger
        • 0x7b919:$hawkstr2: Dear HawkEye Customers!
        • 0x7cf4e:$hawkstr2: Dear HawkEye Customers!
        • 0x7d0a5:$hawkstr2: Dear HawkEye Customers!
        • 0x7d20c:$hawkstr2: Dear HawkEye Customers!
        • 0x7ba3a:$hawkstr3: HawkEye Logger Details:
        Click to see the 56 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        24.2.Windows Update.exe.7d50000.12.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        24.2.Windows Update.exe.2d1b48c.5.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        24.2.Windows Update.exe.2d1b48c.5.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          24.2.Windows Update.exe.2d1b48c.5.raw.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
          • 0xf8e0:$hawkstr1: HawkEye Keylogger
          • 0x12df0:$hawkstr1: HawkEye Keylogger
          • 0x131cc:$hawkstr1: HawkEye Keylogger
          • 0x141bc:$hawkstr1: HawkEye Keylogger
          • 0xf398:$hawkstr2: Dear HawkEye Customers!
          • 0x12e50:$hawkstr2: Dear HawkEye Customers!
          • 0x1322c:$hawkstr2: Dear HawkEye Customers!
          • 0xf4c6:$hawkstr3: HawkEye Logger Details:
          24.0.Windows Update.exe.3d12370.10.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            Click to see the 174 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeVirustotal: Detection: 46%Perma Link
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeReversingLabs: Detection: 28%
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeVirustotal: Detection: 46%Perma Link
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 28%
            Multi AV Scanner detection for submitted fileShow sources
            Source: Costa Order.exeVirustotal: Detection: 46%Perma Link
            Source: Costa Order.exeReversingLabs: Detection: 28%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: Costa Order.exeJoe Sandbox ML: detected
            Source: 2.2.Costa Order.exe.3dbbd60.2.unpackAvira: Label: TR/Inject.vcoldi
            Source: 24.2.Windows Update.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 24.2.Windows Update.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 24.0.Windows Update.exe.400000.15.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 24.0.Windows Update.exe.400000.15.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 10.2.Costa Order.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 10.2.Costa Order.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 24.0.Windows Update.exe.400000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 24.0.Windows Update.exe.400000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 17.2.Windows Update.exe.415bd60.2.unpackAvira: Label: TR/Inject.vcoldi
            Source: Costa Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Costa Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: System.Core.ni.pdbRSDSD source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Xml.ni.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: Microsoft.VisualBasic.pdb8 source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
            Source: Binary string: Accessibility.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.ni.pdbRSDS source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Configuration.ni.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: Windows Update.PDB source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: CMemoryExecute.pdb! source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp
            Source: Binary string: System.Runtime.Remoting.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Configuration.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Configuration.pdbq source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Xml.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: CMemoryExecute.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: CMemoryExecute.pdbl source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Core.ni.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Windows.Forms.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: (P[j0C:\Windows\mscorlib.pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
            Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp, WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Drawing.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Management.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: mscorlib.ni.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000002.421747814.0000000002D31000.00000004.00000001.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Core.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001B.00000002.390506676.0000000000400000.00000040.00000001.sdmp
            Source: Binary string: System.Xml.pdbD source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: .pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
            Source: Binary string: System.ni.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: Windows Update.exe, 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: Windows Update.exe, 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then jmp 0510A630h
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then jmp 0510A630h
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exe, 0000001C.00000003.392509027.000000000063C000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.facebook.com (Facebook)
            Source: vbc.exe, 0000001C.00000003.392509027.000000000063C000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.yahoo.com (Yahoo)
            Source: unknownDNS traffic detected: queries for: 54.229.13.0.in-addr.arpa
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: Windows Update.exe, 00000018.00000002.422390459.0000000003173000.00000004.00000001.sdmpString found in binary or memory: http://safeconnectplus.com
            Source: Costa Order.exe, 0000000A.00000002.293093252.0000000002DD1000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: vbc.exe, 0000001B.00000002.390506676.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Windows Update.exe, 00000018.00000000.389603296.0000000002D5E000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
            Source: WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 24.2.Windows Update.exe.2d1b48c.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.2d1b48c.20.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.390450896.0000000002F92000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.390489709.0000000002F9E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.421711586.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 4848, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 1328, type: MEMORY
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
            Installs a global keyboard hookShow sources
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe
            Source: Costa Order.exe, 00000002.00000002.281981949.0000000001070000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindow created: window name: CLIPBRDWNDCLASS

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 24.2.Windows Update.exe.2d1b48c.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 24.0.Windows Update.exe.2d1b48c.20.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000018.00000000.390450896.0000000002F92000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000018.00000000.390489709.0000000002F9E000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000018.00000002.421711586.0000000002CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large stringsShow sources
            Source: Costa Order.exe, Model.Enemy/Helis/SmallHeli.csLong String: Length: 32771
            Source: 2.2.Costa Order.exe.8c0000.0.unpack, Model.Enemy/Helis/SmallHeli.csLong String: Length: 32771
            Source: 2.0.Costa Order.exe.8c0000.0.unpack, Model.Enemy/Helis/SmallHeli.csLong String: Length: 32771
            Source: 9.2.Costa Order.exe.b0000.0.unpack, Model.Enemy/Helis/SmallHeli.csLong String: Length: 32771
            Source: 9.0.Costa Order.exe.b0000.0.unpack, Model.Enemy/Helis/SmallHeli.csLong String: Length: 32771
            Source: Windows Update.exe.10.dr, Model.Enemy/Helis/SmallHeli.csLong String: Length: 32771
            Source: 10.0.Costa Order.exe.9b0000.0.unpack, Model.Enemy/Helis/SmallHeli.csLong String: Length: 32771
            Source: 10.2.Costa Order.exe.9b0000.4.unpack, Model.Enemy/Helis/SmallHeli.csLong String: Length: 32771
            Source: 17.0.Windows Update.exe.bf0000.0.unpack, Model.Enemy/Helis/SmallHeli.csLong String: Length: 32771
            Source: WindowsUpdate.exe.24.dr, Model.Enemy/Helis/SmallHeli.csLong String: Length: 32771
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: Costa Order.exe
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_008C2050
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_01317B20
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_02C812D0
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_02C83ABD
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_02C81010
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_02C812C1
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_02C8290B
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_02C826EC
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_02C83C22
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_02C80D41
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056BDDE8
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056B0D30
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056BADA0
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056BB428
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056BB648
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056B5168
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056BB870
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056B0040
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056B7851
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056B7030
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056B0006
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056B70C0
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056BA250
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056BE2E0
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056B1AB8
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_056B8299
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 9_2_000B2050
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_009B2050
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C1B29C
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C1C565
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C1C568
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C199D0
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C1DFD3
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_07673B53
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_07670006
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_07670040
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_00BF2050
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_012E7B20
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_012E7B11
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_017112D0
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_0171290B
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_01712860
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_01712850
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_017112C1
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_01710D50
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_01710D41
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_055F34D5
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_055F10B0
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_055F1A58
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_055F1A68
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_00752050
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_010EB29C
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_010EC310
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_010EB29A
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_010E99D0
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_010EDFD0
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_06F3C498
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_06F3C150
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_06F3CD68
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_06F30031
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_06F37D20
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024
            Source: Costa Order.exeBinary or memory string: OriginalFilename vs Costa Order.exe
            Source: Costa Order.exe, 00000002.00000002.282796808.0000000002D86000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Costa Order.exe
            Source: Costa Order.exe, 00000002.00000002.281533964.00000000008C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameuTW04.exe< vs Costa Order.exe
            Source: Costa Order.exe, 00000002.00000002.281981949.0000000001070000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Costa Order.exe
            Source: Costa Order.exe, 00000002.00000002.282732245.0000000002D31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Costa Order.exe
            Source: Costa Order.exe, 00000002.00000002.296012823.0000000007320000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Costa Order.exe
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Costa Order.exe
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Costa Order.exe
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Costa Order.exe
            Source: Costa Order.exeBinary or memory string: OriginalFilename vs Costa Order.exe
            Source: Costa Order.exe, 00000009.00000000.279148755.00000000000B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameuTW04.exe< vs Costa Order.exe
            Source: Costa Order.exeBinary or memory string: OriginalFilename vs Costa Order.exe
            Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Costa Order.exe
            Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Costa Order.exe
            Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Costa Order.exe
            Source: Costa Order.exe, 0000000A.00000000.280632565.00000000009B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameuTW04.exe< vs Costa Order.exe
            Source: Costa Order.exe, 0000000A.00000002.291791878.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Costa Order.exe
            Source: Costa Order.exe, 0000000A.00000002.297903198.0000000007270000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Costa Order.exe
            Source: Costa Order.exeBinary or memory string: OriginalFilenameuTW04.exe< vs Costa Order.exe
            Source: Costa Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 24.2.Windows Update.exe.7d50000.12.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 24.2.Windows Update.exe.2d1b48c.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 24.2.Windows Update.exe.2d1b48c.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.0.Windows Update.exe.7d50000.27.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.2.Windows Update.exe.7d20000.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.0.Windows Update.exe.2fc4dd4.7.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.0.Windows Update.exe.7d20000.13.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.0.Windows Update.exe.7d20000.26.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 10.2.Costa Order.exe.2e2d2a8.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 24.0.Windows Update.exe.2d33cdc.21.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 24.0.Windows Update.exe.2d1b48c.20.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 24.0.Windows Update.exe.2d1b48c.20.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.0.Windows Update.exe.7d50000.14.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 24.0.Windows Update.exe.2fc0168.8.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 24.0.Windows Update.exe.2d4d404.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 24.2.Windows Update.exe.2d33cdc.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000018.00000002.429765718.0000000007D50000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000018.00000000.398220515.0000000007D50000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000018.00000002.429705433.0000000007D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000018.00000000.406136458.0000000007D50000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000018.00000000.406053049.0000000007D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000018.00000000.398164830.0000000007D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000018.00000000.390450896.0000000002F92000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000018.00000000.390489709.0000000002F9E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000018.00000002.421711586.0000000002CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: Costa Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Windows Update.exe.10.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WindowsUpdate.exe.24.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
            Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.csBase64 encoded string: 'UdRPb9QMBtDQ7GBdCKnbF6Xtf3+nKb0F9ck5q4dNxt+WHP0YcHC0Yw+eq34OWfWd', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@19/14@2/2
            Source: C:\Users\user\Desktop\Costa Order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Costa Order.exe.logJump to behavior
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeMutant created: \Sessions\1\BaseNamedObjects\PfnKizGbmo
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4848
            Source: C:\Users\user\Desktop\Costa Order.exeFile created: C:\Users\user\AppData\Local\Temp\SysInfo.txtJump to behavior
            Source: Costa Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Costa Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\Costa Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\Costa Order.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Costa Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: Costa Order.exeVirustotal: Detection: 46%
            Source: Costa Order.exeReversingLabs: Detection: 28%
            Source: C:\Users\user\Desktop\Costa Order.exeFile read: C:\Users\user\Desktop\Costa Order.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Costa Order.exe 'C:\Users\user\Desktop\Costa Order.exe'
            Source: C:\Users\user\Desktop\Costa Order.exeProcess created: C:\Users\user\Desktop\Costa Order.exe {path}
            Source: C:\Users\user\Desktop\Costa Order.exeProcess created: C:\Users\user\Desktop\Costa Order.exe {path}
            Source: C:\Users\user\Desktop\Costa Order.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe {path}
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
            Source: C:\Users\user\Desktop\Costa Order.exeProcess created: C:\Users\user\Desktop\Costa Order.exe {path}
            Source: C:\Users\user\Desktop\Costa Order.exeProcess created: C:\Users\user\Desktop\Costa Order.exe {path}
            Source: C:\Users\user\Desktop\Costa Order.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe {path}
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024
            Source: C:\Users\user\Desktop\Costa Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Costa Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: Costa Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Costa Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: System.Core.ni.pdbRSDSD source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Xml.ni.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: Microsoft.VisualBasic.pdb8 source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
            Source: Binary string: Accessibility.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.ni.pdbRSDS source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Configuration.ni.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: Windows Update.PDB source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: CMemoryExecute.pdb! source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp
            Source: Binary string: System.Runtime.Remoting.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Configuration.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Configuration.pdbq source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Xml.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: CMemoryExecute.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: CMemoryExecute.pdbl source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Core.ni.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Windows.Forms.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: (P[j0C:\Windows\mscorlib.pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
            Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp, WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Drawing.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Management.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: mscorlib.ni.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000002.421747814.0000000002D31000.00000004.00000001.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: System.Core.pdb source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001B.00000002.390506676.0000000000400000.00000040.00000001.sdmp
            Source: Binary string: System.Xml.pdbD source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: .pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS source: WERBEB5.tmp.dmp.31.dr
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
            Source: Binary string: System.ni.pdb source: WERBEB5.tmp.dmp.31.dr

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Costa Order.exe, MainConsole.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 2.2.Costa Order.exe.8c0000.0.unpack, MainConsole.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 2.0.Costa Order.exe.8c0000.0.unpack, MainConsole.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 9.2.Costa Order.exe.b0000.0.unpack, MainConsole.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 9.0.Costa Order.exe.b0000.0.unpack, MainConsole.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: Windows Update.exe.10.dr, MainConsole.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 10.0.Costa Order.exe.9b0000.0.unpack, MainConsole.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 10.2.Costa Order.exe.9b0000.4.unpack, MainConsole.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 17.0.Windows Update.exe.bf0000.0.unpack, MainConsole.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: WindowsUpdate.exe.24.dr, MainConsole.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_0131C462 push 78013AC1h; ret
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_02C8690D push FFFFFF8Bh; iretd
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 2_2_02C837B0 pushad ; retf
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C16A64 pushfd ; retf
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C199B0 pushfd ; retf
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C141E3 push edi; retf 0002h
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C16468 pushad ; retf
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C1AE2B pushfd ; retf
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C1ACE0 pushfd ; retf
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C1AC93 pushfd ; retf
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C1AC53 pushfd ; retf
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C1AC33 pushfd ; retf
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C1AC3B pushfd ; retf
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C1AD30 pushfd ; retf
            Source: C:\Users\user\Desktop\Costa Order.exeCode function: 10_2_02C137A8 push eax; retf
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_0171394E pushad ; retf
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_01714138 push esp; iretd
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 17_2_0171682E push dword ptr [edx+ebp*2-75h]; iretd
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_010EE672 push esp; ret
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_051050E0 push eax; ret
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_0510AC12 pushfd ; ret
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_0510FC04 push E801005Eh; ret
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 24_2_051049E2 pushfd ; retf
            Source: initial sampleStatic PE information: section name: .text entropy: 7.52415197503
            Source: initial sampleStatic PE information: section name: .text entropy: 7.52415197503
            Source: initial sampleStatic PE information: section name: .text entropy: 7.52415197503
            Source: C:\Users\user\Desktop\Costa Order.exeFile created: C:\Users\user\AppData\Roaming\Windows Update.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Changes the view of files in windows explorer (hidden files and folders)Show sources
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
            Deletes itself after installationShow sources
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile deleted: c:\users\user\desktop\costa order.exeJump to behavior
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 00000002.00000002.282796808.0000000002D86000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 1328, type: MEMORY
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Costa Order.exe, 00000002.00000002.282796808.0000000002D86000.00000004.00000001.sdmp, Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: Costa Order.exe, 00000002.00000002.282796808.0000000002D86000.00000004.00000001.sdmp, Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\Desktop\Costa Order.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Costa Order.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Costa Order.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 300000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 180000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindow / User API: threadDelayed 582
            Source: C:\Users\user\Desktop\Costa Order.exe TID: 5080Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\Costa Order.exe TID: 1240Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\Costa Order.exe TID: 808Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 1932Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2576Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 4332Thread sleep time: -120000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5044Thread sleep time: -140000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5096Thread sleep time: -300000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5148Thread sleep time: -180000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 3596Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 3596Thread sleep time: -100000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 3596Thread sleep time: -93867s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 3596Thread sleep time: -93725s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 3596Thread sleep time: -93561s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\Costa Order.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Costa Order.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Costa Order.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 120000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 140000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 300000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 180000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 100000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 93867
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 93725
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 93561
            Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
            Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmpBinary or memory string: VMWARE
            Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: C:\Users\user\Desktop\Costa Order.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\Costa Order.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024
            Source: C:\Users\user\Desktop\Costa Order.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            .NET source code references suspicious native API functionsShow sources
            Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 10.2.Costa Order.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\Costa Order.exeMemory written: C:\Users\user\Desktop\Costa Order.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Users\user\AppData\Roaming\Windows Update.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
            Source: C:\Users\user\Desktop\Costa Order.exeProcess created: C:\Users\user\Desktop\Costa Order.exe {path}
            Source: C:\Users\user\Desktop\Costa Order.exeProcess created: C:\Users\user\Desktop\Costa Order.exe {path}
            Source: C:\Users\user\Desktop\Costa Order.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe {path}
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024
            Source: Windows Update.exe, 00000018.00000000.389133849.0000000001690000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.469503230.0000000001D80000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.468754091.0000000001210000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: Windows Update.exe, 00000018.00000000.389133849.0000000001690000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.469503230.0000000001D80000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.468754091.0000000001210000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: Windows Update.exe, 00000018.00000000.389133849.0000000001690000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.469503230.0000000001D80000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.468754091.0000000001210000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: Windows Update.exe, 00000018.00000000.389133849.0000000001690000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.469503230.0000000001D80000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.468754091.0000000001210000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Users\user\Desktop\Costa Order.exe VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Users\user\Desktop\Costa Order.exe VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows Update.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows Update.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\Costa Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: Windows Update.exe, 00000018.00000002.428836960.0000000006F40000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

            Stealing of Sensitive Information:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 24.2.Windows Update.exe.2d1b48c.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.2d1b48c.20.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.390450896.0000000002F92000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.390489709.0000000002F9E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.421711586.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 4848, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 1328, type: MEMORY
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.3cf9930.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 27.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 27.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.45fa72.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.3cf9930.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.3cf9930.23.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.45fa72.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.45fa72.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.3cf9930.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.45fa72.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.3cf9930.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.3cf9930.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.422553167.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.390506676.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.391632234.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 4848, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 1328, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Yara detected WebBrowserPassView password recovery toolShow sources
            Source: Yara matchFile source: 24.0.Windows Update.exe.3d12370.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.3cf9930.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.409c0d.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.409c0d.16.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.409c0d.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.409c0d.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dc3b6d.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.3cf9930.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.3d12370.22.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.4163b6d.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.3d12370.22.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.3d12370.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 28.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.3d12370.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.3cf9930.23.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 28.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.3d12370.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.422553167.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.391632234.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 4848, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 1328, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1036, type: MEMORY

            Remote Access Functionality:

            barindex
            Detected HawkEye RatShow sources
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Source: Costa Order.exe, 0000000A.00000002.293093252.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
            Source: Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Source: Windows Update.exe, 00000018.00000002.421747814.0000000002D31000.00000004.00000001.sdmpString found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_
            Source: Windows Update.exe, 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: Windows Update.exe, 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: Windows Update.exe, 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: Windows Update.exe, 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Source: Windows Update.exe, 00000018.00000000.389603296.0000000002D5E000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
            Source: Windows Update.exe, 00000018.00000000.390450896.0000000002F92000.00000004.00000001.sdmpString found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 24.2.Windows Update.exe.2d1b48c.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.2d1b48c.20.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.390450896.0000000002F92000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.390489709.0000000002F9E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.421711586.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 4848, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 1328, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Replication Through Removable Media1Windows Management Instrumentation21Registry Run Keys / Startup Folder1Process Injection312Disable or Modify Tools11OS Credential Dumping1Peripheral Device Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Deobfuscate/Decode Files or Information1Input Capture211File and Directory Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information31Credentials in Registry1System Information Discovery15SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13Credentials In Files1Security Software Discovery241Distributed Component Object ModelInput Capture211Scheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptFile Deletion1LSA SecretsProcess Discovery3SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion41VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion41DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection312Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 453873 Sample: Costa Order.exe Startdate: 25/07/2021 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 13 other signatures 2->62 9 Costa Order.exe 3 2->9         started        13 WindowsUpdate.exe 2->13         started        15 WindowsUpdate.exe 2->15         started        process3 file4 44 C:\Users\user\AppData\...\Costa Order.exe.log, ASCII 9->44 dropped 66 Injects a PE file into a foreign processes 9->66 17 Costa Order.exe 6 9->17         started        21 Costa Order.exe 9->21         started        68 Multi AV Scanner detection for dropped file 13->68 70 Machine Learning detection for dropped file 13->70 signatures5 process6 dnsIp7 50 192.168.2.1 unknown unknown 17->50 40 C:\Users\user\AppData\...\Windows Update.exe, PE32 17->40 dropped 42 C:\...\Windows Update.exe:Zone.Identifier, ASCII 17->42 dropped 23 Windows Update.exe 3 17->23         started        file8 process9 signatures10 64 Injects a PE file into a foreign processes 23->64 26 Windows Update.exe 1 6 23->26         started        process11 dnsIp12 52 safeconnectplus.com 192.185.106.46, 49743, 587 UNIFIEDLAYER-AS-1US United States 26->52 54 54.229.13.0.in-addr.arpa 26->54 46 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 26->46 dropped 48 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 26->48 dropped 72 Changes the view of files in windows explorer (hidden files and folders) 26->72 74 Deletes itself after installation 26->74 76 Writes to foreign memory regions 26->76 78 3 other signatures 26->78 31 vbc.exe 1 26->31         started        34 vbc.exe 13 26->34         started        36 WerFault.exe 26->36         started        38 WerFault.exe 26->38         started        file13 signatures14 process15 signatures16 80 Tries to steal Instant Messenger accounts or passwords 31->80 82 Tries to steal Mail credentials (via file access) 31->82 84 Tries to harvest and steal browser information (history, passwords, etc) 34->84

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Costa Order.exe46%VirustotalBrowse
            Costa Order.exe29%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            Costa Order.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Windows Update.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\Windows Update.exe46%VirustotalBrowse
            C:\Users\user\AppData\Roaming\Windows Update.exe29%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            C:\Users\user\AppData\Roaming\WindowsUpdate.exe46%VirustotalBrowse
            C:\Users\user\AppData\Roaming\WindowsUpdate.exe29%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            2.2.Costa Order.exe.3dbbd60.2.unpack100%AviraTR/Inject.vcoldiDownload File
            24.2.Windows Update.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
            24.2.Windows Update.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
            24.0.Windows Update.exe.400000.15.unpack100%AviraTR/AD.MExecute.lzracDownload File
            24.0.Windows Update.exe.400000.15.unpack100%AviraSPR/Tool.MailPassView.473Download File
            10.2.Costa Order.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
            10.2.Costa Order.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
            28.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
            24.0.Windows Update.exe.400000.1.unpack100%AviraTR/AD.MExecute.lzracDownload File
            24.0.Windows Update.exe.400000.1.unpack100%AviraSPR/Tool.MailPassView.473Download File
            17.2.Windows Update.exe.415bd60.2.unpack100%AviraTR/Inject.vcoldiDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            safeconnectplus.com
            		192.185.106.46
            		truefalse
              		high
              54.229.13.0.in-addr.arpa
              		unknown
              		unknownfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.tiro.comWindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersWindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.goodfont.co.krCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://safeconnectplus.comWindows Update.exe, 00000018.00000002.422390459.0000000003173000.00000004.00000001.sdmpfalse
                              		high
                              http://www.typography.netDCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/cTheCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://whatismyipaddress.com/-Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/DPleaseCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fonts.comCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.site.com/logs.phpWindows Update.exe, 00000018.00000000.389603296.0000000002D5E000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.urwpp.deDPleaseCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.nirsoft.net/vbc.exe, 0000001B.00000002.390506676.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmpfalse
                                            		high
                                            http://www.zhongyicts.com.cnCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCosta Order.exe, 0000000A.00000002.293093252.0000000002DD1000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.sakkal.comCosta Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              192.185.106.46
                                              		safeconnectplus.comUnited States
                                              		46606UNIFIEDLAYER-AS-1USfalse

                                              Private

                                              IP
                                              192.168.2.1

                                              General Information

                                              Joe Sandbox Version:33.0.0 White Diamond
                                              Analysis ID:453873
                                              Start date:25.07.2021
                                              Start time:12:08:12
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 13m 46s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:Costa Order.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:36
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.phis.troj.spyw.evad.winEXE@19/14@2/2
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 0% (good quality ratio 0%)
                                              • Quality average: 46.3%
                                              • Quality standard deviation: 40.1%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 104.43.139.144, 23.211.6.115, 104.43.193.48, 20.82.210.154, 23.211.4.86, 40.112.88.60, 20.50.102.62, 80.67.82.235, 80.67.82.211, 20.190.160.134, 20.190.160.136, 20.190.160.132, 20.190.160.67, 20.190.160.69, 20.190.160.8, 20.190.160.73, 20.190.160.75, 104.42.151.234
                                              • Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, login.live.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtSetInformationFile calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              12:10:22API Interceptor10x Sleep call for process: Windows Update.exe modified
                                              12:10:24AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                              12:10:34AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                              12:10:40API Interceptor1x Sleep call for process: WerFault.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASN

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Windows Update.e_311cf0c91f67849da991a747bace81ac3acabd6_12ce22ee_145ad23d\Report.wer
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):17048
                                              Entropy (8bit):3.759879717110072
                                              Encrypted:false
                                              SSDEEP:192:4wDtvmVHBUZMXaaPXUlXK8zIUGy4/u7srS274It/g:HDtcBUZMXaasV4/u7srX4It/g
                                              MD5:23B77C277BC46EC03914592AB97E5891
                                              SHA1:9D69DFE01D022686EA83350153772EF4904FCA86
                                              SHA-256:17643EBB311CD831B1C52ADA68F67A41406D4EB08F6F3E8E9E59A1F9B1162BA3
                                              SHA-512:4DDF0572040D2CE107DA3C2D75A1ADEC2252BD49FA8B2A28D2B67DE05C97E45BE7FC82E95890669648126992B3932995EB403E96202256D88ED8228E2985C05D
                                              Malicious:false
                                              Reputation:unknown
                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.1.7.1.3.8.3.5.9.5.3.6.7.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.1.7.1.3.8.3.9.2.6.6.1.2.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.4.5.1.5.8.b.-.4.f.5.8.-.4.3.5.f.-.8.3.4.0.-.f.5.8.1.c.a.0.5.2.0.f.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.e.c.f.f.e.e.-.0.5.5.9.-.4.1.5.e.-.a.f.0.1.-.5.e.1.5.4.b.2.1.8.4.9.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.u.T.W.0.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.f.0.-.0.0.0.1.-.0.0.1.7.-.b.7.b.a.-.7.c.b.4.8.8.8.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.f.6.c.f.2.8.f.5.c.8.5.0.1.1.c.6.5.3.e.c.b.1.4.8.f.9.6.6.d.c.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.5.4.0.9.2.7.7.2.d.d.1.d.8.c.a.8.b.2.0.b.8.4.f.4.4.e.0.9.3.1.d.
                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEB5.tmp.dmp
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Sun Jul 25 19:10:37 2021, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):436367
                                              Entropy (8bit):3.8426806821701875
                                              Encrypted:false
                                              SSDEEP:3072:GZ9gIOgF5wzXo0Prn/UCgUxFn+kEoo25rrin0vKr0jd+pTJRbzvr49kviZ+bZt21:M9RpDhS7/TjbfnCn0U1pTJhJz21
                                              MD5:118B505EB84372863911E9ABB888A7E2
                                              SHA1:05561C7CF5705959D934984CC3C62676A5F0C564
                                              SHA-256:1AD2F2C445A205DA7F86CF8D43DAB3A2002C4FE23303DE5C24607665C12F8367
                                              SHA-512:FA18F4625E33A123D358DD8C7F761BD6E2646F9B51DD09B2313DAAD4FAA69B161C413735D49543FFB2E232C026998710B2488E0B6841C1DF8A8175BE96604867
                                              Malicious:false
                                              Reputation:unknown
                                              Preview: MDMP....... .......-..`...................U...........B......x.......GenuineIntelW...........T..............`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7BE.tmp.WERInternalMetadata.xml
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):6396
                                              Entropy (8bit):3.717323337807483
                                              Encrypted:false
                                              SSDEEP:192:Rrl7r3GLNiHRY6S0YZ7jSFCprX89bpcsfeDm:RrlsNiu6S0YVjSFpvfL
                                              MD5:94062CF166E6EE09C79C8B355B9B548D
                                              SHA1:C85C2896C65F0F0998561E8B7AFB145FEC08AB57
                                              SHA-256:B98D977B784F5FFE8B202ABCB15AB99B1C59A477E5D699D98892B33F159B2DE3
                                              SHA-512:81AC741A3AA4BC4B71FD234DD7E879ACE086C584F1EFCEAFB5A43C0E0D2D787C5D107D786AAA5E92D84AC4D9A42C2B09D58434AF6B5EF40B01AB6DDD4479B959
                                              Malicious:false
                                              Reputation:unknown
                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.4.8.<./.P.i.d.>.......
                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERC84C.tmp.xml
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4750
                                              Entropy (8bit):4.453900329853799
                                              Encrypted:false
                                              SSDEEP:48:cvIwSD8zsCJgtWI98FkokWSC8Bt8fm8M4JEjFYU+q8vIkD2s1OiwPd:uITfQXFko9SN4JpUKd26wPd
                                              MD5:4366E236487B0031B30668593F4B32BC
                                              SHA1:A7C372B4FCB8A0ABF9168B7F04407838B05D50BA
                                              SHA-256:8AEB30F9EDFE86DD48C26C9AD139262DB5B64DABCD947CE5B79FC05905F79B45
                                              SHA-512:52CBD5CE4D8549B152FDB47C838A07AF1C1FDF6515054D037E4FED17653F3ED1366FF6B9D81195CC51AA4C31495DE45CBA7B3278330DBFC494AD6AF3E3615F27
                                              Malicious:false
                                              Reputation:unknown
                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1093221" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Costa Order.exe.log
                                              Process:C:\Users\user\Desktop\Costa Order.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.355304211458859
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                              Malicious:true
                                              Reputation:unknown
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Update.exe.log
                                              Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.355304211458859
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                              Malicious:false
                                              Reputation:unknown
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                              C:\Users\user\AppData\Local\Temp\SysInfo.txt
                                              Process:C:\Users\user\Desktop\Costa Order.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):38
                                              Entropy (8bit):4.0476738167478805
                                              Encrypted:false
                                              SSDEEP:3:oNWXp5vmKZqXwJ:oNWXpFmoswJ
                                              MD5:6B4320EB60E3FDC23D472F755B93BEF4
                                              SHA1:66BA7137E02EBEAD7DD3AF0F5E22FA470C5A972E
                                              SHA-256:CD488724810DDB69E637011BF3C46221F3F215A4151F46A82599D47CEDC8B660
                                              SHA-512:963743612A5C1E3D8B5E9A9C498CFC8026A2446AB0BA0371637632F6C8DEE01F14A12B5281A9176F4D8FC711A1479887EB794B70D72746078AC7630AE90EEF74
                                              Malicious:false
                                              Reputation:unknown
                                              Preview: C:\Users\user\Desktop\Costa Order.exe
                                              C:\Users\user\AppData\Local\Temp\holderwb.txt
                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                              File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                              Category:dropped
                                              Size (bytes):2
                                              Entropy (8bit):1.0
                                              Encrypted:false
                                              SSDEEP:3:Qn:Qn
                                              MD5:F3B25701FE362EC84616A93A45CE9998
                                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                              Malicious:false
                                              Reputation:unknown
                                              Preview: ..
                                              C:\Users\user\AppData\Roaming\Windows Update.exe
                                              Process:C:\Users\user\Desktop\Costa Order.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):984064
                                              Entropy (8bit):7.518077028291973
                                              Encrypted:false
                                              SSDEEP:24576:UNkLg6I80i3PQFMpB3+3Lf4uY7AvwRBU:UNk06I83PQysLf1Y7UwRBU
                                              MD5:BC4E444C2DD7463DC563119593BC7764
                                              SHA1:D54092772DD1D8CA8B20B84F44E0931D089D79D7
                                              SHA-256:FD95B0EB1D2A5650592DE694CDA956D9DCF0B1C3312FCB3273571F858762AE15
                                              SHA-512:E78AEDCCCA55FFD1EC5AA8F0C236443D442E1661D041007C54A6ABA767F3970495772D2EA7916056B5CC8C0107451ACB58DA612F2D4DD1574205470F12850742
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: Virustotal, Detection: 46%, Browse
                                              • Antivirus: ReversingLabs, Detection: 29%
                                              Reputation:unknown
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0.............F.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................(.......H.......D...........O...T....k..........................................B..}.....(......*....0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o .....(......{.....o!.....{....o"...."...Bs#...o$...&.{....o"...."...Bs#...o$...&.{....o%....{......o&.....{....o%....{......o&.....{....o%....{......o&.....{....o%....{......o&.....{....o%....{..
                                              C:\Users\user\AppData\Roaming\Windows Update.exe:Zone.Identifier
                                              Process:C:\Users\user\Desktop\Costa Order.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Reputation:unknown
                                              Preview: [ZoneTransfer]....ZoneId=0
                                              C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                              Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):984064
                                              Entropy (8bit):7.518077028291973
                                              Encrypted:false
                                              SSDEEP:24576:UNkLg6I80i3PQFMpB3+3Lf4uY7AvwRBU:UNk06I83PQysLf1Y7UwRBU
                                              MD5:BC4E444C2DD7463DC563119593BC7764
                                              SHA1:D54092772DD1D8CA8B20B84F44E0931D089D79D7
                                              SHA-256:FD95B0EB1D2A5650592DE694CDA956D9DCF0B1C3312FCB3273571F858762AE15
                                              SHA-512:E78AEDCCCA55FFD1EC5AA8F0C236443D442E1661D041007C54A6ABA767F3970495772D2EA7916056B5CC8C0107451ACB58DA612F2D4DD1574205470F12850742
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: Virustotal, Detection: 46%, Browse
                                              • Antivirus: ReversingLabs, Detection: 29%
                                              Reputation:unknown
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0.............F.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................(.......H.......D...........O...T....k..........................................B..}.....(......*....0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o .....(......{.....o!.....{....o"...."...Bs#...o$...&.{....o"...."...Bs#...o$...&.{....o%....{......o&.....{....o%....{......o&.....{....o%....{......o&.....{....o%....{......o&.....{....o%....{..
                                              C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier
                                              Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Reputation:unknown
                                              Preview: [ZoneTransfer]....ZoneId=0
                                              C:\Users\user\AppData\Roaming\pid.txt
                                              Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):4
                                              Entropy (8bit):1.0
                                              Encrypted:false
                                              SSDEEP:3:3:3
                                              MD5:3E9F0FC9B2F89E043BC6233994DFCF76
                                              SHA1:B40876D8990E971BD2E2F1E2AD377199107DA3D2
                                              SHA-256:39D5CE6249548C318A5F0B6BF0A3E2F234750A9741B6CE2F9EFF8670BC7CD7AF
                                              SHA-512:AB429E6BA56591CCA0A834599A13B7AABCA2865C47305B360AE35775CFACD667D98F0118296DEA2B5A66E9532FCB1DFF59F0633771970E82B6B27A1CE35D0B46
                                              Malicious:false
                                              Reputation:unknown
                                              Preview: 4848
                                              C:\Users\user\AppData\Roaming\pidloc.txt
                                              Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):49
                                              Entropy (8bit):4.441568140944513
                                              Encrypted:false
                                              SSDEEP:3:oNWXp5cViEaKC59KYr4a:oNWXp+NaZ534a
                                              MD5:6078085422A31D60FCEB24D4FA24B6E8
                                              SHA1:0CD056478F3D877B3D44C7B439485B1ACFD78F5A
                                              SHA-256:9113E6728CEB1F460E3CEAB19852A31602CD77A92E7B861802FE339FD5CFD837
                                              SHA-512:22CE5D96BB25519CB14F27BDB44D7FAEDC6D5C8B8F81A1F972EA638BF9731D8793C98359D7C9476D50AF46346E0964E82F5B0B2F8B1B6763B078D2B045FB2EA1
                                              Malicious:false
                                              Reputation:unknown
                                              Preview: C:\Users\user\AppData\Roaming\Windows Update.exe

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.518077028291973
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                              File name:Costa Order.exe
                                              File size:984064
                                              MD5:bc4e444c2dd7463dc563119593bc7764
                                              SHA1:d54092772dd1d8ca8b20b84f44e0931d089d79d7
                                              SHA256:fd95b0eb1d2a5650592de694cda956d9dcf0b1c3312fcb3273571f858762ae15
                                              SHA512:e78aedccca55ffd1ec5aa8f0c236443d442e1661d041007c54a6aba767f3970495772d2ea7916056b5cc8c0107451acb58da612f2d4dd1574205470f12850742
                                              SSDEEP:24576:UNkLg6I80i3PQFMpB3+3Lf4uY7AvwRBU:UNk06I83PQysLf1Y7UwRBU
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0.............F.... ... ....@.. .......................`............@................................

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x4f1946
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x60FAE4C0 [Fri Jul 23 15:48:16 2021 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v4.0.30319
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xf18f40x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xf20000x5dc.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xf40000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xef94c0xefa00False0.784267817553data7.52415197503IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0xf20000x5dc0x600False0.429036458333data4.1598987436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xf40000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_VERSION0xf20900x34cdata
                                              RT_MANIFEST0xf23ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright Microsoft 2011 - 2021
                                              Assembly Version1.0.0.0
                                              InternalNameuTW04.exe
                                              FileVersion1.0.0.0
                                              CompanyNameMicrosoft
                                              LegalTrademarks
                                              Comments
                                              ProductNameFactory Reset
                                              ProductVersion1.0.0.0
                                              FileDescriptionFactory Reset
                                              OriginalFilenameuTW04.exe

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 25, 2021 12:10:41.722798109 CEST49743587192.168.2.3192.185.106.46
                                              Jul 25, 2021 12:10:41.861133099 CEST58749743192.185.106.46192.168.2.3
                                              Jul 25, 2021 12:10:41.864856005 CEST49743587192.168.2.3192.185.106.46
                                              Jul 25, 2021 12:10:42.053116083 CEST58749743192.185.106.46192.168.2.3
                                              Jul 25, 2021 12:10:42.095980883 CEST49743587192.168.2.3192.185.106.46
                                              Jul 25, 2021 12:10:47.179562092 CEST49743587192.168.2.3192.185.106.46

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 25, 2021 12:08:50.450923920 CEST6493853192.168.2.38.8.8.8
                                              Jul 25, 2021 12:08:50.482191086 CEST53649388.8.8.8192.168.2.3
                                              Jul 25, 2021 12:08:50.873441935 CEST6015253192.168.2.38.8.8.8
                                              Jul 25, 2021 12:08:50.911454916 CEST53601528.8.8.8192.168.2.3
                                              Jul 25, 2021 12:08:51.259356022 CEST5754453192.168.2.38.8.8.8
                                              Jul 25, 2021 12:08:51.284358978 CEST53575448.8.8.8192.168.2.3
                                              Jul 25, 2021 12:08:52.527595997 CEST5598453192.168.2.38.8.8.8
                                              Jul 25, 2021 12:08:52.557970047 CEST53559848.8.8.8192.168.2.3
                                              Jul 25, 2021 12:08:53.375777006 CEST6418553192.168.2.38.8.8.8
                                              Jul 25, 2021 12:08:53.405227900 CEST53641858.8.8.8192.168.2.3
                                              Jul 25, 2021 12:08:54.384951115 CEST6511053192.168.2.38.8.8.8
                                              Jul 25, 2021 12:08:54.410147905 CEST53651108.8.8.8192.168.2.3
                                              Jul 25, 2021 12:08:55.404232025 CEST5836153192.168.2.38.8.8.8
                                              Jul 25, 2021 12:08:55.443348885 CEST53583618.8.8.8192.168.2.3
                                              Jul 25, 2021 12:08:56.294302940 CEST6349253192.168.2.38.8.8.8
                                              Jul 25, 2021 12:08:56.320394993 CEST53634928.8.8.8192.168.2.3
                                              Jul 25, 2021 12:08:57.110644102 CEST6083153192.168.2.38.8.8.8
                                              Jul 25, 2021 12:08:57.144798994 CEST53608318.8.8.8192.168.2.3
                                              Jul 25, 2021 12:08:58.659372091 CEST6010053192.168.2.38.8.8.8
                                              Jul 25, 2021 12:08:58.692249060 CEST53601008.8.8.8192.168.2.3
                                              Jul 25, 2021 12:08:59.565085888 CEST5319553192.168.2.38.8.8.8
                                              Jul 25, 2021 12:08:59.591731071 CEST53531958.8.8.8192.168.2.3
                                              Jul 25, 2021 12:09:02.331172943 CEST5014153192.168.2.38.8.8.8
                                              Jul 25, 2021 12:09:02.358972073 CEST53501418.8.8.8192.168.2.3
                                              Jul 25, 2021 12:09:03.144107103 CEST5302353192.168.2.38.8.8.8
                                              Jul 25, 2021 12:09:03.181283951 CEST53530238.8.8.8192.168.2.3
                                              Jul 25, 2021 12:09:03.986680984 CEST4956353192.168.2.38.8.8.8
                                              Jul 25, 2021 12:09:04.044382095 CEST53495638.8.8.8192.168.2.3
                                              Jul 25, 2021 12:09:05.583254099 CEST5135253192.168.2.38.8.8.8
                                              Jul 25, 2021 12:09:05.611300945 CEST53513528.8.8.8192.168.2.3
                                              Jul 25, 2021 12:09:06.420232058 CEST5934953192.168.2.38.8.8.8
                                              Jul 25, 2021 12:09:06.449021101 CEST53593498.8.8.8192.168.2.3
                                              Jul 25, 2021 12:09:07.327084064 CEST5708453192.168.2.38.8.8.8
                                              Jul 25, 2021 12:09:07.355237007 CEST53570848.8.8.8192.168.2.3
                                              Jul 25, 2021 12:09:08.154427052 CEST5882353192.168.2.38.8.8.8
                                              Jul 25, 2021 12:09:08.182372093 CEST53588238.8.8.8192.168.2.3
                                              Jul 25, 2021 12:09:22.958823919 CEST5756853192.168.2.38.8.8.8
                                              Jul 25, 2021 12:09:22.996308088 CEST53575688.8.8.8192.168.2.3
                                              Jul 25, 2021 12:09:29.907107115 CEST5054053192.168.2.38.8.8.8
                                              Jul 25, 2021 12:09:29.944466114 CEST53505408.8.8.8192.168.2.3
                                              Jul 25, 2021 12:09:44.527575016 CEST5436653192.168.2.38.8.8.8
                                              Jul 25, 2021 12:09:44.577872992 CEST53543668.8.8.8192.168.2.3
                                              Jul 25, 2021 12:09:56.931679010 CEST5303453192.168.2.38.8.8.8
                                              Jul 25, 2021 12:09:56.972994089 CEST53530348.8.8.8192.168.2.3
                                              Jul 25, 2021 12:10:00.297493935 CEST5776253192.168.2.38.8.8.8
                                              Jul 25, 2021 12:10:00.335046053 CEST53577628.8.8.8192.168.2.3
                                              Jul 25, 2021 12:10:21.688966036 CEST5543553192.168.2.38.8.8.8
                                              Jul 25, 2021 12:10:21.728132963 CEST53554358.8.8.8192.168.2.3
                                              Jul 25, 2021 12:10:31.988924026 CEST5071353192.168.2.38.8.8.8
                                              Jul 25, 2021 12:10:32.034142017 CEST53507138.8.8.8192.168.2.3
                                              Jul 25, 2021 12:10:34.270863056 CEST5613253192.168.2.38.8.8.8
                                              Jul 25, 2021 12:10:34.325267076 CEST53561328.8.8.8192.168.2.3
                                              Jul 25, 2021 12:10:35.562752008 CEST5898753192.168.2.38.8.8.8
                                              Jul 25, 2021 12:10:35.722040892 CEST53589878.8.8.8192.168.2.3
                                              Jul 25, 2021 12:10:39.908998013 CEST5657953192.168.2.38.8.8.8
                                              Jul 25, 2021 12:10:39.942497969 CEST53565798.8.8.8192.168.2.3
                                              Jul 25, 2021 12:10:40.267380953 CEST6063353192.168.2.38.8.8.8
                                              Jul 25, 2021 12:10:40.295703888 CEST53606338.8.8.8192.168.2.3

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Jul 25, 2021 12:10:21.688966036 CEST192.168.2.38.8.8.80x1413Standard query (0)54.229.13.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                              Jul 25, 2021 12:10:35.562752008 CEST192.168.2.38.8.8.80x13d9Standard query (0)safeconnectplus.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Jul 25, 2021 12:10:21.728132963 CEST8.8.8.8192.168.2.30x1413Name error (3)54.229.13.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                              Jul 25, 2021 12:10:35.722040892 CEST8.8.8.8192.168.2.30x13d9No error (0)safeconnectplus.com192.185.106.46A (IP address)IN (0x0001)
                                              Jul 25, 2021 12:10:39.942497969 CEST8.8.8.8192.168.2.30x27d3No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)

                                              SMTP Packets

                                              TimestampSource PortDest PortSource IPDest IPCommands
                                              Jul 25, 2021 12:10:42.053116083 CEST58749743192.185.106.46192.168.2.3220-admiral.websitewelcome.com ESMTP Exim 4.94.2 #2 Sun, 25 Jul 2021 05:10:41 -0500
                                              220-We do not authorize the use of this system to transport unsolicited,
                                              220 and/or bulk e-mail.

                                              Code Manipulations

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: Costa Order.exe PID: 4788 Parent PID: 5740

                                              General

                                              Start time:12:08:56
                                              Start date:25/07/2021
                                              Path:C:\Users\user\Desktop\Costa Order.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\Costa Order.exe'
                                              Imagebase:0x8c0000
                                              File size:984064 bytes
                                              MD5 hash:BC4E444C2DD7463DC563119593BC7764
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.282796808.0000000002D86000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: Costa Order.exe PID: 5540 Parent PID: 4788

                                              General

                                              Start time:12:09:36
                                              Start date:25/07/2021
                                              Path:C:\Users\user\Desktop\Costa Order.exe
                                              Wow64 process (32bit):false
                                              Commandline:{path}
                                              Imagebase:0xb0000
                                              File size:984064 bytes
                                              MD5 hash:BC4E444C2DD7463DC563119593BC7764
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low

                                              Analysis Process: Costa Order.exe PID: 5640 Parent PID: 4788

                                              General

                                              Start time:12:09:36
                                              Start date:25/07/2021
                                              Path:C:\Users\user\Desktop\Costa Order.exe
                                              Wow64 process (32bit):true
                                              Commandline:{path}
                                              Imagebase:0x9b0000
                                              File size:984064 bytes
                                              MD5 hash:BC4E444C2DD7463DC563119593BC7764
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: Windows Update.exe PID: 1328 Parent PID: 5640

                                              General

                                              Start time:12:09:41
                                              Start date:25/07/2021
                                              Path:C:\Users\user\AppData\Roaming\Windows Update.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\AppData\Roaming\Windows Update.exe'
                                              Imagebase:0xbf0000
                                              File size:984064 bytes
                                              MD5 hash:BC4E444C2DD7463DC563119593BC7764
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 46%, Virustotal, Browse
                                              • Detection: 29%, ReversingLabs
                                              Reputation:low

                                              Analysis Process: Windows Update.exe PID: 4848 Parent PID: 1328

                                              General

                                              Start time:12:10:17
                                              Start date:25/07/2021
                                              Path:C:\Users\user\AppData\Roaming\Windows Update.exe
                                              Wow64 process (32bit):true
                                              Commandline:{path}
                                              Imagebase:0x750000
                                              File size:984064 bytes
                                              MD5 hash:BC4E444C2DD7463DC563119593BC7764
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000018.00000002.422553167.0000000003CF1000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000018.00000002.422553167.0000000003CF1000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000018.00000002.429765718.0000000007D50000.00000004.00000001.sdmp, Author: Arnim Rupp
                                              • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000018.00000000.398220515.0000000007D50000.00000004.00000001.sdmp, Author: Arnim Rupp
                                              • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000018.00000002.429705433.0000000007D20000.00000004.00000001.sdmp, Author: Arnim Rupp
                                              • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000018.00000000.406136458.0000000007D50000.00000004.00000001.sdmp, Author: Arnim Rupp
                                              • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000018.00000000.406053049.0000000007D20000.00000004.00000001.sdmp, Author: Arnim Rupp
                                              • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000018.00000000.398164830.0000000007D20000.00000004.00000001.sdmp, Author: Arnim Rupp
                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000018.00000000.391632234.0000000003CF9000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000018.00000000.391632234.0000000003CF9000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000018.00000000.390450896.0000000002F92000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000018.00000000.390450896.0000000002F92000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000018.00000000.390489709.0000000002F9E000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000018.00000000.390489709.0000000002F9E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000018.00000002.421711586.0000000002CF1000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000018.00000002.421711586.0000000002CF1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: vbc.exe PID: 3880 Parent PID: 4848

                                              General

                                              Start time:12:10:27
                                              Start date:25/07/2021
                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                              Imagebase:0x400000
                                              File size:1171592 bytes
                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000002.390506676.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              Reputation:high

                                              Analysis Process: vbc.exe PID: 1036 Parent PID: 4848

                                              General

                                              Start time:12:10:27
                                              Start date:25/07/2021
                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                              Imagebase:0x400000
                                              File size:1171592 bytes
                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              Reputation:high

                                              Analysis Process: WindowsUpdate.exe PID: 2992 Parent PID: 3388

                                              General

                                              Start time:12:10:34
                                              Start date:25/07/2021
                                              Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                                              Imagebase:0xd80000
                                              File size:984064 bytes
                                              MD5 hash:BC4E444C2DD7463DC563119593BC7764
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 46%, Virustotal, Browse
                                              • Detection: 29%, ReversingLabs
                                              Reputation:low

                                              Analysis Process: WerFault.exe PID: 5172 Parent PID: 4848

                                              General

                                              Start time:12:10:34
                                              Start date:25/07/2021
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024
                                              Imagebase:0x350000
                                              File size:434592 bytes
                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:high

                                              Analysis Process: WerFault.exe PID: 5324 Parent PID: 4848

                                              General

                                              Start time:12:10:35
                                              Start date:25/07/2021
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024
                                              Imagebase:0x350000
                                              File size:434592 bytes
                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: WindowsUpdate.exe PID: 5432 Parent PID: 3388

                                              General

                                              Start time:12:10:43
                                              Start date:25/07/2021
                                              Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                                              Imagebase:0x250000
                                              File size:984064 bytes
                                              MD5 hash:BC4E444C2DD7463DC563119593BC7764
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:low

                                              Disassembly

                                              Code Analysis

                                              Reset < >