Windows Analysis Report aaVb1xEmrd

Overview

General Information

Sample Name:	aaVb1xEmrd (renamed file extension from none to exe)
Analysis ID:	478309
MD5:	c428b176eca6b17cda3f5729abaddf0b
SHA1:	65262ee5ea9c832436c6eba4a5e58d69900aea72
SHA256:	b139dd73d811c0d20602ebd74f962724d2c9e31958bdea9326473bf4bbd746b9
Tags:	exeHawkEye
Infos:
Most interesting Screenshot:

Detection

HawkEye MailPassView PredatorPainRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MailPassView

Yara detected HawkEye Keylogger

Yara detected PredatorPainRAT

System process connects to network (likely due to code injection or exploit)

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Detected HawkEye Rat

Multi AV Scanner detection for dropped file

Sigma detected: System File Execution Location Anomaly

Creates multiple autostart registry keys

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Suspicious Svchost Process

Tries to steal Mail credentials (via file access)

Drops PE files with benign system names

Sample uses process hollowing technique

Installs a global keyboard hook

Disables Windows system restore

Writes to foreign memory regions

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Changes the view of files in windows explorer (hidden files and folders)

Yara detected WebBrowserPassView password recovery tool

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Tries to steal Instant Messenger accounts or passwords

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Checks if the current process is being debugged

Launches processes in debugging mode, may be used to hinder debugging

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Sigma detected: PowerShell Script Run in AppData

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

May infect USB drives

Found potential string decryption / allocating functions

Contains functionality to call native functions

Enables debug privileges

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Contains functionality to detect virtual machines (SLDT)

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Contains functionality to query network adapater information

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Avira: detection malicious, Label: TR/Spy.Gen

Multi AV Scanner detection for submitted file

Source: aaVb1xEmrd.exe	Virustotal: Detection: 69%	Perma Link
Source: aaVb1xEmrd.exe	Metadefender: Detection: 28%	Perma Link
Source: aaVb1xEmrd.exe	ReversingLabs: Detection: 74%

Antivirus / Scanner detection for submitted sample

Source: aaVb1xEmrd.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Metadefender: Detection: 60%			Perma Link
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	ReversingLabs: Detection: 85%

Machine Learning detection for sample

Source: aaVb1xEmrd.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Joe Sandbox ML: detected
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.iExplorer.exe.6d0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.2.iExplorer.exe.6d0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 5.0.taskhost.exe.9c0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 5.0.taskhost.exe.9c0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 10.0.svchost.exe.bc0000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 8.0.Windows Update.exe.3d0000.4.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 8.0.Windows Update.exe.3d0000.4.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 8.0.Windows Update.exe.3d0000.10.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 8.0.Windows Update.exe.3d0000.10.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.iExplorer.exe.6d0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.iExplorer.exe.6d0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 4.0.svchost.exe.f30000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 19.0.svchost.exe.320000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 5.2.taskhost.exe.9c0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 5.2.taskhost.exe.9c0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 8.0.Windows Update.exe.3d0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 8.0.Windows Update.exe.3d0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 8.2.Windows Update.exe.3d0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 8.2.Windows Update.exe.3d0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473

Compliance:

Uses 32bit PE files

Source: aaVb1xEmrd.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\AppData\Local\Temp\svchost.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\SYSTEM32\winnlsres.dlls.pdb source: svchost.exe, 0000000A.00000002.490336011.00000000010A9000.00000004.00000001.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb5c5619 source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
Source:	Binary string: mscorlib.pdbndows Update.exe source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbd source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: rlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: 1?pC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Windows.Forms.pdbl source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
Source:	Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe, vbc.exe, 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: ws\System.Windows.Forms.pdbpdbrms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb.p source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.Windows.Forms.pdbsys source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbH source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: kC:\Windows\dll\System.Windows.Forms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp

Spreading:

May infect USB drives

Source: taskhost.exe	Binary or memory string: [autorun]
Source: taskhost.exe	Binary or memory string: autorun.inf
Source: iExplorer.exe	Binary or memory string: [autorun]
Source: iExplorer.exe	Binary or memory string: autorun.inf
Source: Windows Update.exe	Binary or memory string: [autorun]
Source: Windows Update.exe	Binary or memory string: autorun.inf

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\CureMe\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\	Jump to behavior

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_00405C6C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	1_2_00405C6C
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_004052DC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_004052DC
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_004026B9 FindFirstFileA,	1_2_004026B9

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	5_2_052077F0
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_05200728
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_0520A32E
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_05206711
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_05205B73
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then call 05201B20h	5_2_05208D5F
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_05208D5F
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_05209BA1
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then jmp 05201A73h	5_2_052019A3
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then jmp 05201A73h	5_2_052019B0
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then call 05201B20h	5_2_05209596
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_05209596
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	5_2_052077EB
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_052017F8
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then mov esp, ebp	5_2_0520483B
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_0520603F
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_0520A244
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_0520985B
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then call 05201B20h	5_2_052094AC
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_052094AC
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_052014C0
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_05205CCE

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Domain query: smtp.mail.ru
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Network Connect: 94.100.180.160 587

May check the online IP address of the machine

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	DNS query: name: whatismyipaddress.com

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49711 -> 94.100.180.160:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.3:49711 -> 94.100.180.160:587

Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.geotrust.com/GeoTrustRSACA2018.crt0
Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmp	String found in binary or memory: http://cdp.geotrust.com/GeoTrustRSACA2018.crl0L
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000002.313966504.0000000006904000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: svchost.exe, 0000000D.00000002.491272541.000001990D615000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: svchost.exe, 0000000D.00000002.491272541.000001990D615000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000002.313966504.0000000006904000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: svchost.exe, 0000000D.00000002.491350262.000001990D649000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmp	String found in binary or memory: http://status.geotrust.com0=
Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	String found in binary or memory: http://whatismyipaddress.com/
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: taskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: taskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com_
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: taskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comlt
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: iExplorer.exe, 00000007.00000002.250883500.00000000010B8000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comW
Source: iExplorer.exe, 00000007.00000002.250883500.00000000010B8000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comlvfet
Source: taskhost.exe, 00000005.00000003.235933696.000000000574B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoL
Source: taskhost.exe, 00000005.00000003.235933696.000000000574B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comrsh
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: taskhost.exe, 00000005.00000003.231707810.0000000005772000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: taskhost.exe, 00000005.00000003.231021953.000000000576E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/P
Source: iExplorer.exe, 00000007.00000003.231598313.00000000057BC000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/T
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: taskhost.exe, 00000005.00000003.231408705.0000000005770000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn1
Source: taskhost.exe, 00000005.00000003.231707810.0000000005772000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnE
Source: taskhost.exe, 00000005.00000003.231488771.0000000005771000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnO
Source: taskhost.exe, 00000005.00000003.231545876.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cntL
Source: iExplorer.exe, 00000007.00000003.231598313.00000000057BC000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnz
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: svchost.exe	String found in binary or memory: http://www.hackforums.net/member.php
Source: svchost.exe, 00000004.00000002.266893331.00000000039C4000.00000004.00000001.sdmp	String found in binary or memory: http://www.hackforums.net/member.php?action=3Dprofile&uid=3D177092).=
Source: svchost.exe, 00000004.00000002.259142948.0000000000F32000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000000.254608825.0000000000BC2000.00000002.00020000.sdmp, svchost.exe, 00000013.00000000.267457896.0000000000322000.00000002.00020000.sdmp	String found in binary or memory: http://www.hackforums.net/member.php?action=profile&uid=177092).
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp, taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/16
Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/;
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: taskhost.exe, 00000005.00000003.232528224.000000000574B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Versh
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Vet
Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0rsh
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/c
Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/z
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/phy/
Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/z
Source: vbc.exe, 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: taskhost.exe, 00000005.00000003.232159632.0000000005770000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comO
Source: taskhost.exe, 00000005.00000003.232159632.0000000005770000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comic
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: taskhost.exe, 00000005.00000003.235558162.0000000005770000.00000004.00000001.sdmp, taskhost.exe, 00000005.00000003.235337554.0000000005770000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: taskhost.exe, 00000005.00000003.231928279.0000000005770000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: svchost.exe, 00000004.00000002.266303126.00000000039A2000.00000004.00000001.sdmp	String found in binary or memory: https://biz.mail.ru)
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: https://tamina212.000webhostapp.com/data.php
Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000002.313966504.0000000006904000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Source: unknown

DNS traffic detected: queries for: smtp.mail.ru

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe

Code function: 5_2_02AFA09A recv,

5_2_02AFA09A

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\svchost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\taskhost.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Windows user hook set: 0 keyboard low level C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Windows user hook set: 0 keyboard low level C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe

Contains functionality to log keystrokes (.Net Source)

Source: taskhost.exe.1.dr, Form1.cs	.Net Code: HookKeyboard
Source: iExplorer.exe.1.dr, Form1.cs	.Net Code: HookKeyboard
Source: WindowsUpdate.exe.5.dr, Form1.cs	.Net Code: HookKeyboard
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: Windows Update.exe.7.dr, Form1.cs	.Net Code: HookKeyboard
Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs	.Net Code: HookKeyboard

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Code function: 1_2_00404EA7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00404EA7

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

Yara detected PredatorPainRAT

Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED

Malicious sample detected (through community Yara rule)

Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200

Detected potential crypto function

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_0040686C	1_2_0040686C
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_00406095	1_2_00406095
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_004046B8	1_2_004046B8
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 4_2_00007FFAEE5E3DDC	4_2_00007FFAEE5E3DDC
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009CD426	5_2_009CD426
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009DD5AE	5_2_009DD5AE
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009CD523	5_2_009CD523
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009CD6C4	5_2_009CD6C4
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009D7646	5_2_009D7646
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A029BE	5_2_00A029BE
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A06AF4	5_2_00A06AF4
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A2ABFC	5_2_00A2ABFC
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A23CBE	5_2_00A23CBE
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A23C4D	5_2_00A23C4D
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A23DC0	5_2_00A23DC0
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A23D2F	5_2_00A23D2F
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009CED03	5_2_009CED03
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009CCF92	5_2_009CCF92
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009DAFA6	5_2_009DAFA6
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05208D68	5_2_05208D68
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05205758	5_2_05205758
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05206048	5_2_05206048
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05207098	5_2_05207098
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05205753	5_2_05205753
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05208D5F	5_2_05208D5F
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05201D98	5_2_05201D98
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05207093	5_2_05207093
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009FC7BC	5_2_009FC7BC
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006FF0FC	7_2_006FF0FC
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006DC162	7_2_006DC162
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006DC25F	7_2_006DC25F
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006EC2EA	7_2_006EC2EA
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006E6382	7_2_006E6382
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006DC400	7_2_006DC400
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_007116FA	7_2_007116FA
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_00715830	7_2_00715830
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_00739938	7_2_00739938
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_007329FA	7_2_007329FA
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_00732989	7_2_00732989
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_00732A6B	7_2_00732A6B
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006DDA3F	7_2_006DDA3F
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_00732AFC	7_2_00732AFC
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006E9CE2	7_2_006E9CE2
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006DBCCE	7_2_006DBCCE
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_0070B4F8	7_2_0070B4F8
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_02950D58	7_2_02950D58
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003FF0FC	8_2_003FF0FC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003DC162	8_2_003DC162
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003DC25F	8_2_003DC25F
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003EC2EA	8_2_003EC2EA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003E6382	8_2_003E6382
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003DC400	8_2_003DC400
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_004116FA	8_2_004116FA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_00415830	8_2_00415830
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_00439938	8_2_00439938
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_004329FA	8_2_004329FA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_00432989	8_2_00432989
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003DDA3F	8_2_003DDA3F
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_00432A6B	8_2_00432A6B
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_00432AFC	8_2_00432AFC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003E9CE2	8_2_003E9CE2
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003DBCCE	8_2_003DBCCE
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04D64470	8_2_04D64470
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_0040B4F8	8_2_0040B4F8

PE file contains strange resources

Source: MULTIBOT_NEWW.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: taskhost.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: taskhost.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: taskhost.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iExplorer.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: security.dll
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Section loaded: security.dll

Uses 32bit PE files

Source: aaVb1xEmrd.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.taskhost.exe.311411c.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 7.2.iExplorer.exe.2e4bf0c.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.2b89e50.14.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Windows Update.exe.2b89e50.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.2b89ea8.8.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Code function: 1_2_0040315D EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

1_2_0040315D

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: String function: 00A0BA9D appears 36 times
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: String function: 003EBF1F appears 42 times
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: String function: 0041A7D9 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: String function: 0071A7D9 appears 36 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05295B1E NtWriteVirtualMemory,	5_2_05295B1E
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05295A76 NtResumeThread,	5_2_05295A76
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_0529548A NtQuerySystemInformation,	5_2_0529548A
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_0529545C NtQuerySystemInformation,	5_2_0529545C
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05295AF1 NtWriteVirtualMemory,	5_2_05295AF1
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E06ABA NtResumeThread,	8_2_04E06ABA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E05266 NtQuerySystemInformation,	8_2_04E05266
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E06B62 NtWriteVirtualMemory,	8_2_04E06B62
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E0522C NtQuerySystemInformation,	8_2_04E0522C
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E06B35 NtWriteVirtualMemory,	8_2_04E06B35

Sample file is different than original file name gathered from version info

Source: aaVb1xEmrd.exe, 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp

Binary or memory string: OriginalFilenameMicrosoft.exe4 vs aaVb1xEmrd.exe

Source: MULTIBOT_NEWW.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: aaVb1xEmrd.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@45/38@8/4

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: WindowsUpdate.exe.5.dr, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: taskhost.exe.1.dr, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()

Source: MULTIBOT_NEWW.exe, 00000003.00000002.489293811.0000000000418000.00000004.00020000.sdmp	Binary or memory string: bA*\AD:\1. alat hacking\buat\projek vb\baru\MultiBotNew.vbp
Source: MULTIBOT_NEWW.exe	Binary or memory string: A*\AD:\1. alat hacking\buat\projek vb\baru\MultiBotNew.vbp

Source: aaVb1xEmrd.exe	Virustotal: Detection: 69%
Source: aaVb1xEmrd.exe	Metadefender: Detection: 28%
Source: aaVb1xEmrd.exe	ReversingLabs: Detection: 74%

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

File read: C:\Users\user\Desktop\aaVb1xEmrd.exe

Jump to behavior

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\aaVb1xEmrd.exe 'C:\Users\user\Desktop\aaVb1xEmrd.exe'
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe'
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost.exe 'C:\Users\user\AppData\Local\Temp\svchost.exe'
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\taskhost.exe 'C:\Users\user\AppData\Local\Temp\taskhost.exe'
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\iExplorer.exe 'C:\Users\user\AppData\Local\Temp\iExplorer.exe'
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 176
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 176
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
Source: unknown	Process created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336
Source: unknown	Process created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1096
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1168
Source: unknown	Process created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe'	Jump to behavior
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost.exe 'C:\Users\user\AppData\Local\Temp\svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\taskhost.exe 'C:\Users\user\AppData\Local\Temp\taskhost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\iExplorer.exe 'C:\Users\user\AppData\Local\Temp\iExplorer.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05294E52 AdjustTokenPrivileges,	5_2_05294E52
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05294E1B AdjustTokenPrivileges,	5_2_05294E1B
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E05196 AdjustTokenPrivileges,	8_2_04E05196
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E0515F AdjustTokenPrivileges,	8_2_04E0515F

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

File created: C:\Users\user\AppData\Local\Temp\nsk8DE2.tmp

Jump to behavior

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Code function: 1_2_004020A3 CoCreateInstance,MultiByteToWideChar,

1_2_004020A3

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Code function: 1_2_004041ED GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_004041ED

Source: taskhost.exe, iExplorer.exe, Windows Update.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: svchost.exe.1.dr, adiGWFtrqf.cs	Base64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
Source: taskhost.exe.1.dr, Form1.cs	Base64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: iExplorer.exe.1.dr, Form1.cs	Base64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
Source: WIN32.exe.4.dr, adiGWFtrqf.cs	Base64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
Source: svchost.exe.4.dr, adiGWFtrqf.cs	Base64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
Source: 4.0.svchost.exe.f30000.0.unpack, adiGWFtrqf.cs	Base64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
Source: 4.2.svchost.exe.f30000.0.unpack, adiGWFtrqf.cs	Base64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
Source: WindowsUpdate.exe.5.dr, Form1.cs	Base64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	Base64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	Base64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: Windows Update.exe.7.dr, Form1.cs	Base64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs	Base64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs	Base64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs	Base64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs	Base64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6292
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6280
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\0w96J1537j
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\iExplorer.exe
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\iExplorer.exe			Jump to behavior

Source: svchost.exe.1.dr, adiGWFtrqf.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: taskhost.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: taskhost.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: taskhost.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: taskhost.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: iExplorer.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: iExplorer.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: iExplorer.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: iExplorer.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Automated click: OK
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: C:\Users\user\AppData\Local\Temp\svchost.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\SYSTEM32\winnlsres.dlls.pdb source: svchost.exe, 0000000A.00000002.490336011.00000000010A9000.00000004.00000001.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb5c5619 source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
Source:	Binary string: mscorlib.pdbndows Update.exe source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbd source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: rlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: 1?pC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Windows.Forms.pdbl source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
Source:	Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe, vbc.exe, 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: ws\System.Windows.Forms.pdbpdbrms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb.p source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.Windows.Forms.pdbsys source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbH source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: kC:\Windows\dll\System.Windows.Forms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: taskhost.exe.1.dr, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: taskhost.exe.1.dr, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: taskhost.exe.1.dr, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: taskhost.exe.1.dr, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: iExplorer.exe.1.dr, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: iExplorer.exe.1.dr, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: iExplorer.exe.1.dr, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: iExplorer.exe.1.dr, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.5.dr, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.5.dr, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.5.dr, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.5.dr, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.7.dr, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.7.dr, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.7.dr, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.7.dr, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A30712 push eax; ret	5_2_00A30726
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A30712 push eax; ret	5_2_00A3074E
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A0B87E push ecx; ret	5_2_00A0B88E
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A0BA9D push eax; ret	5_2_00A0BAB1
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A0BA9D push eax; ret	5_2_00A0BAD9
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_02B07EF2 push eax; ret	5_2_02B07EF5
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_052049A9 push edx; ret	5_2_052049AA
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_052049AB push edx; ret	5_2_052049AE
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_052049AF push edx; ret	5_2_052049B2
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204B87 push esi; ret	5_2_05204B8A
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204B8B push edi; ret	5_2_05204B92
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204830 push ecx; ret	5_2_05204832
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204833 push ecx; ret	5_2_0520483A
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05200016 push es; ret	5_2_0520006A
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204661 push eax; ret	5_2_05204662
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204663 push eax; ret	5_2_0520466A
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204A59 push ebx; ret	5_2_05204A5A
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204AA9 push ebx; ret	5_2_05204AAA
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204AE7 push esp; ret	5_2_05204AEA
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204ADF push ebx; ret	5_2_05204AE2
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_0073F44E push eax; ret	7_2_0073F462
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_0073F44E push eax; ret	7_2_0073F48A
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_0071A5BA push ecx; ret	7_2_0071A5CA
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_0071A7D9 push eax; ret	7_2_0071A7ED
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_0071A7D9 push eax; ret	7_2_0071A815
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_0043F44E push eax; ret	8_2_0043F462
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_0043F44E push eax; ret	8_2_0043F48A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_0041A5BA push ecx; ret	8_2_0041A5CA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_0041A7D9 push eax; ret	8_2_0041A7ED
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_0041A7D9 push eax; ret	8_2_0041A815
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_00CA6063 pushad ; retf 0000h	8_2_00CA6072

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Code function: 1_2_00405CAA GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405CAA

Source: initial sample

Static PE information: section name: .text entropy: 7.57942816891

Persistence and Installation Behavior:

Drops PE files with benign system names

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	File created: C:\Users\user\AppData\Local\Temp\svchost.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe			Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	File created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	File created: C:\Users\user\AppData\Local\Temp\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	File created: C:\Users\user\AppData\Local\Temp\taskhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	File created: C:\Users\user\AppData\Roaming\Windows Update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	File created: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Jump to dropped file

Boot Survival:

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run server host protocol windows			Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{663zMYl1-971G-Rz79-18o0-8F397xVI0j0L} stubpath

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run server host protocol windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run server host protocol windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run server host protocol windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run server host protocol windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: svchost.exe, svchost.exe, 0000000A.00000002.491311478.0000000003641000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.273163025.0000000002C41000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: svchost.exe, 00000004.00000002.259142948.0000000000F32000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000000.254608825.0000000000BC2000.00000002.00020000.sdmp, svchost.exe, 00000013.00000000.267457896.0000000000322000.00000002.00020000.sdmp	Binary or memory string: SBIEDLL.DLL+SOFTWARE\VALVE\STEAM\

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 4884	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 4884	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 4884	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 3644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 3136	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 476	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 5164	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 3016	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 6276	Thread sleep count: 1079 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 1748	Thread sleep count: 1121 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe TID: 5276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe TID: 464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6200	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6672	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6688	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6688	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6692	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6688	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7100	Thread sleep time: -180000s >= -30000s
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696	Thread sleep time: -2600000s >= -30000s
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696	Thread sleep time: -200000s >= -30000s
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6496	Thread sleep time: -30000s >= -30000s
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6812	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 180000
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Window / User API: threadDelayed 1079	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Window / User API: threadDelayed 1121	Jump to behavior
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Window / User API: threadDelayed 560

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe

Code function: 7_2_006D3EC6 sldt word ptr [eax]

7_2_006D3EC6

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Contains functionality to query network adapater information

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: GetAdaptersInfo,		5_2_05292D72
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: GetAdaptersInfo,		5_2_05292D4A

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Thread delayed: delay time: 140000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 120000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 120000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 180000
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Thread delayed: delay time: 100000
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Thread delayed: delay time: 100000
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Thread delayed: delay time: 100000
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\CureMe\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\	Jump to behavior

Source: svchost.exe, 0000000D.00000002.491370590.000001990D661000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.490046729.0000019908029000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000004.00000002.262341975.00000000014AE000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490695793.00000000010E9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_00405C6C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	1_2_00405C6C
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_004052DC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_004052DC
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_004026B9 FindFirstFileA,	1_2_004026B9

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Code function: 1_2_00405CAA GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405CAA

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process queried: DebugPort

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process token adjusted: Debug
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process token adjusted: Debug

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe

Code function: 5_2_05207920 LdrInitializeThunk,

5_2_05207920

Source: C:\Users\user\AppData\Local\Temp\svchost.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Domain query: smtp.mail.ru
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Network Connect: 94.100.180.160 587

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000

.NET source code references suspicious native API functions

Source: taskhost.exe.1.dr, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: taskhost.exe.1.dr, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: iExplorer.exe.1.dr, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: iExplorer.exe.1.dr, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: WindowsUpdate.exe.5.dr, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: WindowsUpdate.exe.5.dr, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 5.0.taskhost.exe.9c0000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 5.2.taskhost.exe.9c0000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: Windows Update.exe.7.dr, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: Windows Update.exe.7.dr, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.2.iExplorer.exe.6d0000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.iExplorer.exe.6d0000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 8.0.Windows Update.exe.3d0000.4.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 8.0.Windows Update.exe.3d0000.10.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe'	Jump to behavior
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost.exe 'C:\Users\user\AppData\Local\Temp\svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\taskhost.exe 'C:\Users\user\AppData\Local\Temp\taskhost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\iExplorer.exe 'C:\Users\user\AppData\Local\Temp\iExplorer.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336

Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmp	Binary or memory string: edProgram Manager
Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmp	Binary or memory string: Program Manager(
Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (11:09:22 PM) -----\|
Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (12:19:16 PM) -----\|
Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (10:59:22 PM) -----\|
Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (9:36:07 AM) -----\|
Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (12:22:36 PM) -----\|
Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (12:30:56 PM) -----\|
Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (9:47:47 AM) -----\|
Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (9:39:27 AM) -----\|

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Disables Windows system restore

Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore DisableSR

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

AV process strings found (often used to terminate AV products)

Source: taskhost.exe, 00000005.00000002.321548245.00000000010D4000.00000004.00000020.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected MailPassView

Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.a1fa72.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3b67e00.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3b67e00.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3b67e00.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.42e7ae.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.72e7ae.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.72e7ae.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.40b7e00.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3b67e00.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3b67e00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.40b7e00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.taskhost.exe.7421c02.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3b67e00.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.a1fa72.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.283523438.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.293259909.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iExplorer.exe PID: 1352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 5204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6912, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED

Yara detected HawkEye Keylogger

Source: Yara match	File source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED

Tries to steal Mail credentials (via file access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d8949.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.40d0240.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d8949.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.40d0240.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.40b7e00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d8949.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c9c0d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c9c0d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.286698882.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

Remote Access Functionality:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED

Detected HawkEye Rat

Source: taskhost.exe	String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: taskhost.exe	String found in binary or memory: HawkEyeKeylogger
Source: taskhost.exe	String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: taskhost.exe	String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: ar'&HawkEye_Keylogger_Execution_Confirmed_
Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: ar#"HawkEye_Keylogger_Stealer_Records_

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05290A8E listen,	5_2_05290A8E
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05290E9E bind,	5_2_05290E9E
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05290E6B bind,	5_2_05290E6B
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05290A50 listen,	5_2_05290A50
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_04FD0FC6 bind,	7_2_04FD0FC6
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_04FD0A8E listen,	7_2_04FD0A8E
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_04FD0F93 bind,	7_2_04FD0F93
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_04FD0A50 listen,	7_2_04FD0A50
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E00A8E listen,	8_2_04E00A8E
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E00FC6 bind,	8_2_04E00FC6
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E00A50 listen,	8_2_04E00A50
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E00F93 bind,	8_2_04E00F93

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.16.154.36	whatismyipaddress.com	United States		13335	CLOUDFLARENETUS	false
94.100.180.160	smtp.mail.ru	Russian Federation		47764	MAILRU-ASMailRuRU	false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name	IP	Active
smtp.mail.ru	94.100.180.160	true
whatismyipaddress.com	104.16.154.36	true
160.192.10.0.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://whatismyipaddress.com/	false		high

AV Detection:

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Avira: detection malicious, Label: TR/Spy.Gen

Multi AV Scanner detection for submitted file

Source: aaVb1xEmrd.exe	Virustotal: Detection: 69%	Perma Link
Source: aaVb1xEmrd.exe	Metadefender: Detection: 28%	Perma Link
Source: aaVb1xEmrd.exe	ReversingLabs: Detection: 74%

Antivirus / Scanner detection for submitted sample

Source: aaVb1xEmrd.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Metadefender: Detection: 60%			Perma Link
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	ReversingLabs: Detection: 85%

Machine Learning detection for sample

Source: aaVb1xEmrd.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Joe Sandbox ML: detected
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.iExplorer.exe.6d0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.2.iExplorer.exe.6d0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 5.0.taskhost.exe.9c0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 5.0.taskhost.exe.9c0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 10.0.svchost.exe.bc0000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 8.0.Windows Update.exe.3d0000.4.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 8.0.Windows Update.exe.3d0000.4.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 8.0.Windows Update.exe.3d0000.10.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 8.0.Windows Update.exe.3d0000.10.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.iExplorer.exe.6d0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.iExplorer.exe.6d0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 4.0.svchost.exe.f30000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 19.0.svchost.exe.320000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 5.2.taskhost.exe.9c0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 5.2.taskhost.exe.9c0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 8.0.Windows Update.exe.3d0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 8.0.Windows Update.exe.3d0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 8.2.Windows Update.exe.3d0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 8.2.Windows Update.exe.3d0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473

Compliance:

Uses 32bit PE files

Source: aaVb1xEmrd.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\AppData\Local\Temp\svchost.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\SYSTEM32\winnlsres.dlls.pdb source: svchost.exe, 0000000A.00000002.490336011.00000000010A9000.00000004.00000001.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb5c5619 source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
Source:	Binary string: mscorlib.pdbndows Update.exe source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbd source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: rlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: 1?pC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Windows.Forms.pdbl source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
Source:	Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe, vbc.exe, 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: ws\System.Windows.Forms.pdbpdbrms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb.p source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.Windows.Forms.pdbsys source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbH source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: kC:\Windows\dll\System.Windows.Forms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp

Spreading:

May infect USB drives

Source: taskhost.exe	Binary or memory string: [autorun]
Source: taskhost.exe	Binary or memory string: autorun.inf
Source: iExplorer.exe	Binary or memory string: [autorun]
Source: iExplorer.exe	Binary or memory string: autorun.inf
Source: Windows Update.exe	Binary or memory string: [autorun]
Source: Windows Update.exe	Binary or memory string: autorun.inf

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\CureMe\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\	Jump to behavior

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_00405C6C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	1_2_00405C6C
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_004052DC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_004052DC
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_004026B9 FindFirstFileA,	1_2_004026B9

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	5_2_052077F0
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_05200728
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_0520A32E
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_05206711
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_05205B73
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then call 05201B20h	5_2_05208D5F
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_05208D5F
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_05209BA1
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then jmp 05201A73h	5_2_052019A3
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then jmp 05201A73h	5_2_052019B0
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then call 05201B20h	5_2_05209596
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_05209596
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	5_2_052077EB
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_052017F8
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then mov esp, ebp	5_2_0520483B
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_0520603F
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_0520A244
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_0520985B
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then call 05201B20h	5_2_052094AC
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_052094AC
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_052014C0
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_05205CCE

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Domain query: smtp.mail.ru
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Network Connect: 94.100.180.160 587

May check the online IP address of the machine

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	DNS query: name: whatismyipaddress.com

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49711 -> 94.100.180.160:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.3:49711 -> 94.100.180.160:587

Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.geotrust.com/GeoTrustRSACA2018.crt0
Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmp	String found in binary or memory: http://cdp.geotrust.com/GeoTrustRSACA2018.crl0L
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000002.313966504.0000000006904000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: svchost.exe, 0000000D.00000002.491272541.000001990D615000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: svchost.exe, 0000000D.00000002.491272541.000001990D615000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000002.313966504.0000000006904000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: svchost.exe, 0000000D.00000002.491350262.000001990D649000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmp	String found in binary or memory: http://status.geotrust.com0=
Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	String found in binary or memory: http://whatismyipaddress.com/
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: taskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: taskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com_
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: taskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comlt
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: iExplorer.exe, 00000007.00000002.250883500.00000000010B8000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comW
Source: iExplorer.exe, 00000007.00000002.250883500.00000000010B8000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comlvfet
Source: taskhost.exe, 00000005.00000003.235933696.000000000574B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoL
Source: taskhost.exe, 00000005.00000003.235933696.000000000574B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comrsh
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: taskhost.exe, 00000005.00000003.231707810.0000000005772000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: taskhost.exe, 00000005.00000003.231021953.000000000576E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/P
Source: iExplorer.exe, 00000007.00000003.231598313.00000000057BC000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/T
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: taskhost.exe, 00000005.00000003.231408705.0000000005770000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn1
Source: taskhost.exe, 00000005.00000003.231707810.0000000005772000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnE
Source: taskhost.exe, 00000005.00000003.231488771.0000000005771000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnO
Source: taskhost.exe, 00000005.00000003.231545876.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cntL
Source: iExplorer.exe, 00000007.00000003.231598313.00000000057BC000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnz
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: svchost.exe	String found in binary or memory: http://www.hackforums.net/member.php
Source: svchost.exe, 00000004.00000002.266893331.00000000039C4000.00000004.00000001.sdmp	String found in binary or memory: http://www.hackforums.net/member.php?action=3Dprofile&uid=3D177092).=
Source: svchost.exe, 00000004.00000002.259142948.0000000000F32000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000000.254608825.0000000000BC2000.00000002.00020000.sdmp, svchost.exe, 00000013.00000000.267457896.0000000000322000.00000002.00020000.sdmp	String found in binary or memory: http://www.hackforums.net/member.php?action=profile&uid=177092).
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp, taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/16
Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/;
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: taskhost.exe, 00000005.00000003.232528224.000000000574B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Versh
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Vet
Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0rsh
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/c
Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/z
Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/phy/
Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/z
Source: vbc.exe, 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: taskhost.exe, 00000005.00000003.232159632.0000000005770000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comO
Source: taskhost.exe, 00000005.00000003.232159632.0000000005770000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comic
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: taskhost.exe, 00000005.00000003.235558162.0000000005770000.00000004.00000001.sdmp, taskhost.exe, 00000005.00000003.235337554.0000000005770000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: taskhost.exe, 00000005.00000003.231928279.0000000005770000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: svchost.exe, 00000004.00000002.266303126.00000000039A2000.00000004.00000001.sdmp	String found in binary or memory: https://biz.mail.ru)
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: https://tamina212.000webhostapp.com/data.php
Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000002.313966504.0000000006904000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Source: unknown

DNS traffic detected: queries for: smtp.mail.ru

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe

Code function: 5_2_02AFA09A recv,

5_2_02AFA09A

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\svchost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\taskhost.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Windows user hook set: 0 keyboard low level C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Windows user hook set: 0 keyboard low level C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe

Contains functionality to log keystrokes (.Net Source)

Source: taskhost.exe.1.dr, Form1.cs	.Net Code: HookKeyboard
Source: iExplorer.exe.1.dr, Form1.cs	.Net Code: HookKeyboard
Source: WindowsUpdate.exe.5.dr, Form1.cs	.Net Code: HookKeyboard
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: Windows Update.exe.7.dr, Form1.cs	.Net Code: HookKeyboard
Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs	.Net Code: HookKeyboard

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

1_2_00404EA7

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

Yara detected PredatorPainRAT

Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED

Malicious sample detected (through community Yara rule)

Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200

Detected potential crypto function

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_0040686C	1_2_0040686C
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_00406095	1_2_00406095
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_004046B8	1_2_004046B8
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 4_2_00007FFAEE5E3DDC	4_2_00007FFAEE5E3DDC
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009CD426	5_2_009CD426
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009DD5AE	5_2_009DD5AE
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009CD523	5_2_009CD523
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009CD6C4	5_2_009CD6C4
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009D7646	5_2_009D7646
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A029BE	5_2_00A029BE
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A06AF4	5_2_00A06AF4
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A2ABFC	5_2_00A2ABFC
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A23CBE	5_2_00A23CBE
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A23C4D	5_2_00A23C4D
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A23DC0	5_2_00A23DC0
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A23D2F	5_2_00A23D2F
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009CED03	5_2_009CED03
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009CCF92	5_2_009CCF92
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009DAFA6	5_2_009DAFA6
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05208D68	5_2_05208D68
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05205758	5_2_05205758
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05206048	5_2_05206048
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05207098	5_2_05207098
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05205753	5_2_05205753
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05208D5F	5_2_05208D5F
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05201D98	5_2_05201D98
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05207093	5_2_05207093
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_009FC7BC	5_2_009FC7BC
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006FF0FC	7_2_006FF0FC
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006DC162	7_2_006DC162
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006DC25F	7_2_006DC25F
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006EC2EA	7_2_006EC2EA
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006E6382	7_2_006E6382
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006DC400	7_2_006DC400
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_007116FA	7_2_007116FA
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_00715830	7_2_00715830
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_00739938	7_2_00739938
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_007329FA	7_2_007329FA
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_00732989	7_2_00732989
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_00732A6B	7_2_00732A6B
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006DDA3F	7_2_006DDA3F
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_00732AFC	7_2_00732AFC
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006E9CE2	7_2_006E9CE2
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_006DBCCE	7_2_006DBCCE
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_0070B4F8	7_2_0070B4F8
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_02950D58	7_2_02950D58
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003FF0FC	8_2_003FF0FC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003DC162	8_2_003DC162
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003DC25F	8_2_003DC25F
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003EC2EA	8_2_003EC2EA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003E6382	8_2_003E6382
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003DC400	8_2_003DC400
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_004116FA	8_2_004116FA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_00415830	8_2_00415830
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_00439938	8_2_00439938
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_004329FA	8_2_004329FA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_00432989	8_2_00432989
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003DDA3F	8_2_003DDA3F
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_00432A6B	8_2_00432A6B
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_00432AFC	8_2_00432AFC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003E9CE2	8_2_003E9CE2
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_003DBCCE	8_2_003DBCCE
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04D64470	8_2_04D64470
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_0040B4F8	8_2_0040B4F8

PE file contains strange resources

Source: MULTIBOT_NEWW.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: taskhost.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: taskhost.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: taskhost.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iExplorer.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: security.dll
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Section loaded: security.dll

Uses 32bit PE files

Source: aaVb1xEmrd.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.taskhost.exe.311411c.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 7.2.iExplorer.exe.2e4bf0c.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.2b89e50.14.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Windows Update.exe.2b89e50.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.2b89ea8.8.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

1_2_0040315D

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: String function: 00A0BA9D appears 36 times
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: String function: 003EBF1F appears 42 times
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: String function: 0041A7D9 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: String function: 0071A7D9 appears 36 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05295B1E NtWriteVirtualMemory,	5_2_05295B1E
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05295A76 NtResumeThread,	5_2_05295A76
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_0529548A NtQuerySystemInformation,	5_2_0529548A
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_0529545C NtQuerySystemInformation,	5_2_0529545C
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05295AF1 NtWriteVirtualMemory,	5_2_05295AF1
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E06ABA NtResumeThread,	8_2_04E06ABA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E05266 NtQuerySystemInformation,	8_2_04E05266
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E06B62 NtWriteVirtualMemory,	8_2_04E06B62
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E0522C NtQuerySystemInformation,	8_2_04E0522C
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E06B35 NtWriteVirtualMemory,	8_2_04E06B35

Sample file is different than original file name gathered from version info

Source: aaVb1xEmrd.exe, 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmp

Binary or memory string: OriginalFilenameMicrosoft.exe4 vs aaVb1xEmrd.exe

Source: MULTIBOT_NEWW.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: aaVb1xEmrd.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@45/38@8/4

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: WindowsUpdate.exe.5.dr, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: taskhost.exe.1.dr, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()

Source: MULTIBOT_NEWW.exe, 00000003.00000002.489293811.0000000000418000.00000004.00020000.sdmp	Binary or memory string: bA*\AD:\1. alat hacking\buat\projek vb\baru\MultiBotNew.vbp
Source: MULTIBOT_NEWW.exe	Binary or memory string: A*\AD:\1. alat hacking\buat\projek vb\baru\MultiBotNew.vbp

Source: aaVb1xEmrd.exe	Virustotal: Detection: 69%
Source: aaVb1xEmrd.exe	Metadefender: Detection: 28%
Source: aaVb1xEmrd.exe	ReversingLabs: Detection: 74%

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

File read: C:\Users\user\Desktop\aaVb1xEmrd.exe

Jump to behavior

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\aaVb1xEmrd.exe 'C:\Users\user\Desktop\aaVb1xEmrd.exe'
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe'
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost.exe 'C:\Users\user\AppData\Local\Temp\svchost.exe'
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\taskhost.exe 'C:\Users\user\AppData\Local\Temp\taskhost.exe'
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\iExplorer.exe 'C:\Users\user\AppData\Local\Temp\iExplorer.exe'
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 176
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 176
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
Source: unknown	Process created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336
Source: unknown	Process created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1096
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1168
Source: unknown	Process created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe'	Jump to behavior
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost.exe 'C:\Users\user\AppData\Local\Temp\svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\taskhost.exe 'C:\Users\user\AppData\Local\Temp\taskhost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\iExplorer.exe 'C:\Users\user\AppData\Local\Temp\iExplorer.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05294E52 AdjustTokenPrivileges,	5_2_05294E52
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05294E1B AdjustTokenPrivileges,	5_2_05294E1B
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E05196 AdjustTokenPrivileges,	8_2_04E05196
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E0515F AdjustTokenPrivileges,	8_2_04E0515F

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

File created: C:\Users\user\AppData\Local\Temp\nsk8DE2.tmp

Jump to behavior

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Code function: 1_2_004020A3 CoCreateInstance,MultiByteToWideChar,

1_2_004020A3

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Code function: 1_2_004041ED GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_004041ED

Source: taskhost.exe, iExplorer.exe, Windows Update.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: taskhost.exe, iExplorer.exe, Windows Update.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: svchost.exe.1.dr, adiGWFtrqf.cs	Base64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
Source: taskhost.exe.1.dr, Form1.cs	Base64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: iExplorer.exe.1.dr, Form1.cs	Base64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
Source: WIN32.exe.4.dr, adiGWFtrqf.cs	Base64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
Source: svchost.exe.4.dr, adiGWFtrqf.cs	Base64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
Source: 4.0.svchost.exe.f30000.0.unpack, adiGWFtrqf.cs	Base64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
Source: 4.2.svchost.exe.f30000.0.unpack, adiGWFtrqf.cs	Base64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
Source: WindowsUpdate.exe.5.dr, Form1.cs	Base64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	Base64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	Base64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: Windows Update.exe.7.dr, Form1.cs	Base64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs	Base64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs	Base64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs	Base64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs	Base64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6292
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6280
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\0w96J1537j
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\iExplorer.exe
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\iExplorer.exe			Jump to behavior

Source: svchost.exe.1.dr, adiGWFtrqf.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: taskhost.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: taskhost.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: taskhost.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: taskhost.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: iExplorer.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: iExplorer.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: iExplorer.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: iExplorer.exe.1.dr, Form1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Automated click: OK
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Automated click: Continue

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: C:\Users\user\AppData\Local\Temp\svchost.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\SYSTEM32\winnlsres.dlls.pdb source: svchost.exe, 0000000A.00000002.490336011.00000000010A9000.00000004.00000001.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb5c5619 source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
Source:	Binary string: mscorlib.pdbndows Update.exe source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbd source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: rlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: 1?pC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Windows.Forms.pdbl source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
Source:	Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe, vbc.exe, 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: ws\System.Windows.Forms.pdbpdbrms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb.p source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.Windows.Forms.pdbsys source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbH source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
Source:	Binary string: kC:\Windows\dll\System.Windows.Forms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: taskhost.exe.1.dr, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: taskhost.exe.1.dr, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: taskhost.exe.1.dr, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: taskhost.exe.1.dr, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: iExplorer.exe.1.dr, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: iExplorer.exe.1.dr, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: iExplorer.exe.1.dr, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: iExplorer.exe.1.dr, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.5.dr, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.5.dr, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.5.dr, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.5.dr, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.7.dr, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.7.dr, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.7.dr, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.7.dr, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A30712 push eax; ret	5_2_00A30726
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A30712 push eax; ret	5_2_00A3074E
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A0B87E push ecx; ret	5_2_00A0B88E
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A0BA9D push eax; ret	5_2_00A0BAB1
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_00A0BA9D push eax; ret	5_2_00A0BAD9
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_02B07EF2 push eax; ret	5_2_02B07EF5
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_052049A9 push edx; ret	5_2_052049AA
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_052049AB push edx; ret	5_2_052049AE
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_052049AF push edx; ret	5_2_052049B2
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204B87 push esi; ret	5_2_05204B8A
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204B8B push edi; ret	5_2_05204B92
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204830 push ecx; ret	5_2_05204832
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204833 push ecx; ret	5_2_0520483A
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05200016 push es; ret	5_2_0520006A
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204661 push eax; ret	5_2_05204662
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204663 push eax; ret	5_2_0520466A
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204A59 push ebx; ret	5_2_05204A5A
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204AA9 push ebx; ret	5_2_05204AAA
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204AE7 push esp; ret	5_2_05204AEA
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05204ADF push ebx; ret	5_2_05204AE2
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_0073F44E push eax; ret	7_2_0073F462
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_0073F44E push eax; ret	7_2_0073F48A
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_0071A5BA push ecx; ret	7_2_0071A5CA
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_0071A7D9 push eax; ret	7_2_0071A7ED
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_0071A7D9 push eax; ret	7_2_0071A815
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_0043F44E push eax; ret	8_2_0043F462
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_0043F44E push eax; ret	8_2_0043F48A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_0041A5BA push ecx; ret	8_2_0041A5CA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_0041A7D9 push eax; ret	8_2_0041A7ED
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_0041A7D9 push eax; ret	8_2_0041A815
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_00CA6063 pushad ; retf 0000h	8_2_00CA6072

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Code function: 1_2_00405CAA GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405CAA

Source: initial sample

Static PE information: section name: .text entropy: 7.57942816891

Persistence and Installation Behavior:

Drops PE files with benign system names

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	File created: C:\Users\user\AppData\Local\Temp\svchost.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe			Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	File created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	File created: C:\Users\user\AppData\Local\Temp\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	File created: C:\Users\user\AppData\Local\Temp\taskhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	File created: C:\Users\user\AppData\Roaming\Windows Update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	File created: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Jump to dropped file

Boot Survival:

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run server host protocol windows			Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{663zMYl1-971G-Rz79-18o0-8F397xVI0j0L} stubpath

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run server host protocol windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run server host protocol windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run server host protocol windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run server host protocol windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: svchost.exe, svchost.exe, 0000000A.00000002.491311478.0000000003641000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.273163025.0000000002C41000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: svchost.exe, 00000004.00000002.259142948.0000000000F32000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000000.254608825.0000000000BC2000.00000002.00020000.sdmp, svchost.exe, 00000013.00000000.267457896.0000000000322000.00000002.00020000.sdmp	Binary or memory string: SBIEDLL.DLL+SOFTWARE\VALVE\STEAM\

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 4884	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 4884	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 4884	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 3644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 3136	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 476	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 5164	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 3016	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 6276	Thread sleep count: 1079 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 1748	Thread sleep count: 1121 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe TID: 5276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe TID: 464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6200	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6672	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6688	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6688	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6692	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6688	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7100	Thread sleep time: -180000s >= -30000s
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696	Thread sleep time: -2600000s >= -30000s
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696	Thread sleep time: -200000s >= -30000s
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6496	Thread sleep time: -30000s >= -30000s
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6812	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 180000
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Window / User API: threadDelayed 1079	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Window / User API: threadDelayed 1121	Jump to behavior
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Window / User API: threadDelayed 560

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe

Code function: 7_2_006D3EC6 sldt word ptr [eax]

7_2_006D3EC6

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Contains functionality to query network adapater information

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: GetAdaptersInfo,		5_2_05292D72
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: GetAdaptersInfo,		5_2_05292D4A

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Thread delayed: delay time: 140000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 120000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 120000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 180000
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Thread delayed: delay time: 100000
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Thread delayed: delay time: 100000
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Thread delayed: delay time: 100000
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\CureMe\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File opened: C:\Vaccine\4535425425342grt45454s5s4\	Jump to behavior

Source: svchost.exe, 0000000D.00000002.491370590.000001990D661000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.490046729.0000019908029000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000004.00000002.262341975.00000000014AE000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490695793.00000000010E9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_00405C6C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	1_2_00405C6C
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_004052DC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_004052DC
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Code function: 1_2_004026B9 FindFirstFileA,	1_2_004026B9

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe

Code function: 1_2_00405CAA GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405CAA

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process queried: DebugPort

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process token adjusted: Debug
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Process token adjusted: Debug

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe

Code function: 5_2_05207920 LdrInitializeThunk,

5_2_05207920

Source: C:\Users\user\AppData\Local\Temp\svchost.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Domain query: smtp.mail.ru
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Network Connect: 94.100.180.160 587

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000

.NET source code references suspicious native API functions

Source: taskhost.exe.1.dr, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: taskhost.exe.1.dr, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: iExplorer.exe.1.dr, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: iExplorer.exe.1.dr, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: WindowsUpdate.exe.5.dr, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: WindowsUpdate.exe.5.dr, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 5.0.taskhost.exe.9c0000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 5.2.taskhost.exe.9c0000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: Windows Update.exe.7.dr, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: Windows Update.exe.7.dr, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.2.iExplorer.exe.6d0000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.iExplorer.exe.6d0000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 8.0.Windows Update.exe.3d0000.4.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 8.0.Windows Update.exe.3d0000.10.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe'	Jump to behavior
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost.exe 'C:\Users\user\AppData\Local\Temp\svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\taskhost.exe 'C:\Users\user\AppData\Local\Temp\taskhost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\aaVb1xEmrd.exe	Process created: C:\Users\user\AppData\Local\Temp\iExplorer.exe 'C:\Users\user\AppData\Local\Temp\iExplorer.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336

Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmp	Binary or memory string: edProgram Manager
Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmp	Binary or memory string: Program Manager(
Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (11:09:22 PM) -----\|
Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (12:19:16 PM) -----\|
Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (10:59:22 PM) -----\|
Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (9:36:07 AM) -----\|
Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (12:22:36 PM) -----\|
Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (12:30:56 PM) -----\|
Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (9:47:47 AM) -----\|
Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmp	Binary or memory string: \|-----Program Manager (9:39:27 AM) -----\|

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Disables Windows system restore

Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore DisableSR

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

AV process strings found (often used to terminate AV products)

Source: taskhost.exe, 00000005.00000002.321548245.00000000010D4000.00000004.00000020.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected MailPassView

Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.a1fa72.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3b67e00.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3b67e00.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3b67e00.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.42e7ae.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.72e7ae.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.72e7ae.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.40b7e00.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3b67e00.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3b67e00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.40b7e00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.taskhost.exe.7421c02.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3b67e00.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.a1fa72.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.283523438.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.293259909.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iExplorer.exe PID: 1352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 5204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6912, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED

Yara detected HawkEye Keylogger

Source: Yara match	File source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED

Tries to steal Mail credentials (via file access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d8949.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.40d0240.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d8949.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.40d0240.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.40b7e00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d8949.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c9c0d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c9c0d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.286698882.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

Remote Access Functionality:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED

Detected HawkEye Rat

Source: taskhost.exe	String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: taskhost.exe	String found in binary or memory: HawkEyeKeylogger
Source: taskhost.exe	String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: taskhost.exe	String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: ar'&HawkEye_Keylogger_Execution_Confirmed_
Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: ar#"HawkEye_Keylogger_Stealer_Records_

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05290A8E listen,	5_2_05290A8E
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05290E9E bind,	5_2_05290E9E
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05290E6B bind,	5_2_05290E6B
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe	Code function: 5_2_05290A50 listen,	5_2_05290A50
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_04FD0FC6 bind,	7_2_04FD0FC6
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_04FD0A8E listen,	7_2_04FD0A8E
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_04FD0F93 bind,	7_2_04FD0F93
Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe	Code function: 7_2_04FD0A50 listen,	7_2_04FD0A50
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E00A8E listen,	8_2_04E00A8E
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E00FC6 bind,	8_2_04E00FC6
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E00A50 listen,	8_2_04E00A50
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 8_2_04E00F93 bind,	8_2_04E00F93

ID:	478309
Product:	CloudBasic
Start time:	11:21:17
Start date:	06.09.2021
Sample:	aaVb1xEmrd
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c428b176eca6b17cda3f5729abaddf0b
SHA1:	65262ee5ea9c832436c6eba4a5e58d69900aea72
SHA256:	b139dd73d811c0d20602ebd74f962724d2c9e31958bdea9326473bf4bbd746b9
Filetype:	Win32 Executable (generic) a (10002005/4) 92.16%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	D87796F366C70FF245EE50AC6D986702	18EF75524480ACB54EDD94C6649B4A98EBC38AB9	D96C38CD97B679DA05AC6BFE6CA5E971802C213407780EA4E190668A9960D3AA
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0xebd9be4e, page size 16384, DirtyShutdown, Windows version 10.0	8D9FC6C34120DDC9EEA7B8B108D1E52E	62C0CDA550C8DBA877555389B59D43AB4F35EDEE	D85849AD410CAF5DB73EE255A463C72BA4058EB3E96AB3FC20684176BE614C98
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	5E6F02764C632E3A889D8DB681D43DFC	A739505085968FC5B82E0B4E66ED2A10DABF7B4A	89304DD33D2A96013D8B95D81A323D61CA7CFEEF26C9132564B301C41B944F02
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_vbc.exe_29b1fd91934ca85fd856bebf7e23b59544bb3f14_6c16ead4_19baeb35\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	94A7FB9849AACBCB38DA210BD4A9A0E5	50DA047C42570B6CABECDCE1291C32ACF39AD5C7	75DC3BF23E7EFC0C872E26F403688A070C8FDA1465257DDC3BAA47F2FF3F56DF
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_vbc.exe_dbc95366787c6af920cbf43ce460525ddeedebbd_966227d3_198ee9cd\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	ABD2E2BFE051EC215B8B17037FE6FB2E	DCE114947B4707712A8C0BE4617F063DFA619984	19BBEA37874789645FDA94F57A01209A8D93E4B594ED9889256BE5E7E8C7AC6D
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_windows update.e_c1d66a88935183ae141aa58ee4c87ad14e6f9fe7_00000000_1a1eea0c\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	CA90459EF7765BC961354186FB661F50	A0EBC223F958677A5A2CB3A35C1C9BA3302B0B92	66E4F2577080DA4AC723F71E68B967CCC503C1C013F873A7B0C830FC4017DBA8
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_taskhost.exe_439f3432e91833156ec2cf888feef2fd243e3be_00000000_185f3e17\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	DDA4C55E65434CADEE12AB3E4C51BFB4	9F9FEC6F59EC16901E2863C64C0B283D62CEFAB1	E7D4783787113E857F93C39A03B5B55AEA60C0815E1FF119E6B003003FFAC1E4
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE49.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	66A963EF273036ED453A7DAC23882679	DEB544FDB13D26E54242520F8C9E03B5EC1BFC7F	3B3A936A4EAD7B4FC4544467245F060F174457239F34BC51DC553FF73F47BC7B
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF44.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A7E90FB7735CE1D948082C45CB1DDDED	33D131051C620EEC1356417CAD38D0A549817D39	55E61527AEAAEBD494849C23E550B8731C8B5A10AEDFF19827183466D75FD551
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBF2.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Sep 6 18:22:37 2021, 0x1205a4 type	A915F6C65D737F9D725BEFAA6D1611AF	7F01864E6EC6FAB3B17924769777B674B8D6482E	A81A9E39A0FCDA95422AC9D34C45EF1D7EAC037C5C4E8678D9DCCD38372C771E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC60.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Sep 6 18:22:37 2021, 0x1205a4 type	3EF2F61C08E3469F3B17F6EDBBAD7203	EBA0AEACE9CABE4635BDE8C33656D0792382D0BC	CB1C4EB01B42CF11CB74CEC598A8D5CDA6693EE5B0F6381307E963A9A7D2BA5D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF7D.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	74161DE7FA537E233EEBAC3462A7D6C0	0CE559ABD6238C69D851A36A0F0709F39DD38809	B81031E723CDB8F922FEB925A39BCBC2E0B2AECA08F92EBEC1FB5AACB016BEA9
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE078.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	E225D9414F16E474933B5C6E134743F9	92A9A8298CA258BEC8ECBBD24BD0CCBD22EA1A90	25F661A69E6D7C0B71EE29887F7D211CD8D659DD0C33F99E6B0A414912523BF6
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0E5.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	7EA759AFEAD8A648D808576BE9174782	1A645E1D64B1987EBCC32A859FE07117AA294B36	CEC1207937AD43D66A1F7CBEA2E636E3E06045AEE3C05FABA753C6CB6DF1EC29
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE172.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	633B7885757E5BC725D1C73075632E31	88542DE807D2D7A2436FDE3FF75F614157EFCB8A	92A23107906A7E672FD84DE42B79BA7671802B265FD6E07F81A0848921F49DC9
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE23E.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	2EF23EF76DAEBCFCBCF04D819B06583E	CF849D769883A499D766792BD7E0668D069FD74A	B9A0D438D30585B2E21D153BA3D6AF945F47BF0EB025AB83AACBB8386FE560C4
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE29C.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	41AC42D75ECF29A1E124CCE94337CA6B	36E100F603F2278833206878C1249596AB1A2878	0AE6D3B37175B058FDAFD8E1581C3F4516F0FADDF01837095F37A84AAD249F35
C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A273A781070D239BA99D3FD8EF341E6C	650FC260C3CBC8FDB37BD18AFCFA089AA2132B96	92EC56AE1720E4B05078BB970C4655904CC61BA11FD13482D1B234504589DF2B
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log	ASCII text, with CRLF line terminators	4D1946DC78B777109FC1B7FF3223B745	869F3C7550F8B8DE446AE53D6DA234DC24ABD3A5	B62BB3914340F56B816EB8883F8459009F25CA430D81948B54F6BE2EBEEFDF76
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\iExplorer.exe.log	ASCII text, with CRLF line terminators	5AD8E7ABEADADAC4CE06FF693476581A	81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E	BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe	PE32 executable (GUI) Intel 80386, for MS Windows	3F620FFD8BE649D1D31AB54F73A559BE	7674D564413FF4C10297C1D74CD1287776AF43FA	60E2A0345F0250CB42AF7B40D674D4EFB3110CD2AE74CB2708F0A9941B1F0AA4
C:\Users\user\AppData\Local\Temp\SImg1.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3	CF9EF68993AD0C8075B4789D5B3F7897	F991B68333095A54D399A6A5207E3CB479A5B844	D448AB7674AEC35432DB9C113CD8E766539E6AC623FA3E17043E806D1A91A205
C:\Users\user\AppData\Local\Temp\SImg2.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3	0C304E96FCE61F274A08F42FF2633F75	AD125368FFCA36960F459B92C45E05CABECB2BCA	57F36FEEA2926B03C4945852B6C47DD08B527F6BBE0DB6A6B3F101786290FBA1
C:\Users\user\AppData\Local\Temp\SImg3.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3	E87D0E3977F2EF8E5FD0EA5D6867C92D	5B1C2EA6D347173DD611A5213A0E5DADD2A0814B	4AB6FF2F6D8A439724FDDCC2690E709CC479D4575B917AB984888CD6A1011168
C:\Users\user\AppData\Local\Temp\SImg4.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3	70019051D7AFD8A82FA3EA49FD663358	F4E685B2959544C50312AF7A56A597C238F053B2	B3EBB3DDA23166785394F79BC48126B21F135D5445DE883656AFF7F968A38956
C:\Users\user\AppData\Local\Temp\Startup SImg.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3	E95B1152C68A79B00F40FD6ED544B1E0	7A61C83E1163C62F4E4991C5ADD7A354196C475B	104A575ECACD0B4E48F1830677B95C3C76D5B1D7EE4A8EF2284617C528C5D782
C:\Users\user\AppData\Local\Temp\SysInfo.txt	ASCII text, with no line terminators	B5A38E1E1187076DD0FF50A0F366A697	6B5FE1C661D1EBFBCC10AEE318508A2FB9F5ACC7	81F0716C0370690C4BAA4624AA49C1E755FFE9D341F61C457EFAC3837CD14B3D
C:\Users\user\AppData\Local\Temp\iExplorer.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A0DBD1314D214588960B1E0BCED5F4E0	419AB2F062AEB985DB1F11D44EE6C0177F7E59A9	4F21D6AF6EACAE330AE755BF05739C7D8D61567CDCD3F3FF3AD57EF714D8B932
C:\Users\user\AppData\Local\Temp\svchost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A273A781070D239BA99D3FD8EF341E6C	650FC260C3CBC8FDB37BD18AFCFA089AA2132B96	92EC56AE1720E4B05078BB970C4655904CC61BA11FD13482D1B234504589DF2B
C:\Users\user\AppData\Local\Temp\taskhost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	83827B8CFFE67A789B03E342ED3B1572	E4CD65C315D7C4C37A89767E11F9C52D64753D0F	029910F3FC7C1BC1DAA32A70BD334CCC767E7A0D0BDC011881099C9507ADB3B6
C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A273A781070D239BA99D3FD8EF341E6C	650FC260C3CBC8FDB37BD18AFCFA089AA2132B96	92EC56AE1720E4B05078BB970C4655904CC61BA11FD13482D1B234504589DF2B
C:\Users\user\AppData\Roaming\Windows Update.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A0DBD1314D214588960B1E0BCED5F4E0	419AB2F062AEB985DB1F11D44EE6C0177F7E59A9	4F21D6AF6EACAE330AE755BF05739C7D8D61567CDCD3F3FF3AD57EF714D8B932
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	83827B8CFFE67A789B03E342ED3B1572	E4CD65C315D7C4C37A89767E11F9C52D64753D0F	029910F3FC7C1BC1DAA32A70BD334CCC767E7A0D0BDC011881099C9507ADB3B6
C:\Users\user\AppData\Roaming\pid.txt	ASCII text, with no line terminators	2E6D9C6052E99FCDFA61D9B9DA273CA2	33C6272DF8483166FFB4295472824F971762E64A	B7B598D56A5096E61D7B35CC791EA1E21484BDD778FB8A2EBC52E1045E8255B9
C:\Users\user\AppData\Roaming\pidloc.txt	ASCII text, with no line terminators	6078085422A31D60FCEB24D4FA24B6E8	0CD056478F3D877B3D44C7B439485B1ACFD78F5A	9113E6728CEB1F460E3CEAB19852A31602CD77A92E7B861802FE339FD5CFD837
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9

Windows Analysis Report aaVb1xEmrd

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs