Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report aaVb1xEmrd

Overview

General Information

Sample Name:aaVb1xEmrd (renamed file extension from none to exe)
Analysis ID:478309
MD5:c428b176eca6b17cda3f5729abaddf0b
SHA1:65262ee5ea9c832436c6eba4a5e58d69900aea72
SHA256:b139dd73d811c0d20602ebd74f962724d2c9e31958bdea9326473bf4bbd746b9
Tags:exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView PredatorPainRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Yara detected PredatorPainRAT
System process connects to network (likely due to code injection or exploit)
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Sigma detected: System File Execution Location Anomaly
Creates multiple autostart registry keys
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Tries to steal Mail credentials (via file access)
Drops PE files with benign system names
Sample uses process hollowing technique
Installs a global keyboard hook
Disables Windows system restore
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Sigma detected: PowerShell Script Run in AppData
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Contains functionality to query network adapater information
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • aaVb1xEmrd.exe (PID: 2432 cmdline: 'C:\Users\user\Desktop\aaVb1xEmrd.exe' MD5: C428B176ECA6B17CDA3F5729ABADDF0B)
    • MULTIBOT_NEWW.exe (PID: 4768 cmdline: 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe' MD5: 3F620FFD8BE649D1D31AB54F73A559BE)
    • svchost.exe (PID: 4280 cmdline: 'C:\Users\user\AppData\Local\Temp\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)
      • svchost.exe (PID: 6256 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)
    • taskhost.exe (PID: 4548 cmdline: 'C:\Users\user\AppData\Local\Temp\taskhost.exe' MD5: 83827B8CFFE67A789B03E342ED3B1572)
      • dw20.exe (PID: 6148 cmdline: dw20.exe -x -s 2200 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 6280 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 6612 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 6292 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 6624 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • iExplorer.exe (PID: 1352 cmdline: 'C:\Users\user\AppData\Local\Temp\iExplorer.exe' MD5: A0DBD1314D214588960B1E0BCED5F4E0)
      • Windows Update.exe (PID: 5204 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: A0DBD1314D214588960B1E0BCED5F4E0)
        • dw20.exe (PID: 6724 cmdline: dw20.exe -x -s 2324 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
        • vbc.exe (PID: 6912 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • vbc.exe (PID: 6928 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 5276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • WerFault.exe (PID: 5200 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6440 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6740 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)
  • svchost.exe (PID: 6960 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7088 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4920 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • WindowsUpdate.exe (PID: 6112 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 83827B8CFFE67A789B03E342ED3B1572)
    • dw20.exe (PID: 4068 cmdline: dw20.exe -x -s 1168 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • svchost.exe (PID: 3396 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6376 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6468 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)
  • WindowsUpdate.exe (PID: 6656 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 83827B8CFFE67A789B03E342ED3B1572)
    • dw20.exe (PID: 7084 cmdline: dw20.exe -x -s 1096 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • svchost.exe (PID: 1752 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5168 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Windows Update.exeRAT_PredatorPainDetects PredatorPain RATKevin Breen <kevin@techanarchy.net>
  • 0x7b7df:$string1: holderwb.txt
  • 0x7b7fb:$string1: holderwb.txt
  • 0x7b961:$string3: There is a file attached to this email
  • 0x7bf35:$string4: screens\screenshot
  • 0x7a364:$string5: Disablelogger
  • 0x7a30e:$string6: \pidloc.txt
  • 0x79e1c:$string7: clearie
  • 0x79e34:$string8: clearff
  • 0x7a5c5:$string9: emails should be sent to you shortly
  • 0x7aad9:$string11: open=Sys.exe
  • 0x7a326:$ver1: PredatorLogger
  • 0x7a9a8:$ver3: Predator Pain
  • 0x7b79b:$ver3: Predator Pain
  • 0x7b910:$ver3: Predator Pain
  • 0x7bb27:$ver3: Predator Pain
C:\Users\user\AppData\Roaming\Windows Update.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x615f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
C:\Users\user\AppData\Roaming\Windows Update.exeJoeSecurity_PredatorPainRATYara detected PredatorPainRATKevin Breen <kevin@techanarchy.net>
    C:\Users\user\AppData\Roaming\Windows Update.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      C:\Users\user\AppData\Roaming\Windows Update.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        Click to see the 19 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b68e:$key: HawkEyeKeylogger
        • 0x7d8e0:$salt: 099u787978786
        • 0x7bcdd:$string1: HawkEye_Keylogger
        • 0x7cb30:$string1: HawkEye_Keylogger
        • 0x7d840:$string1: HawkEye_Keylogger
        • 0x7c0c6:$string2: holdermail.txt
        • 0x7c0e6:$string2: holdermail.txt
        • 0x7c008:$string3: wallet.dat
        • 0x7c020:$string3: wallet.dat
        • 0x7c036:$string3: wallet.dat
        • 0x7d422:$string4: Keylog Records
        • 0x7d73a:$string4: Keylog Records
        • 0x7d938:$string5: do not script -->
        • 0x7b676:$string6: \pidloc.txt
        • 0x7b704:$string7: BSPLIT
        • 0x7b714:$string7: BSPLIT
        00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
              • 0x7bd35:$hawkstr1: HawkEye Keylogger
              • 0x7cb76:$hawkstr1: HawkEye Keylogger
              • 0x7cea5:$hawkstr1: HawkEye Keylogger
              • 0x7d000:$hawkstr1: HawkEye Keylogger
              • 0x7d163:$hawkstr1: HawkEye Keylogger
              • 0x7d3fa:$hawkstr1: HawkEye Keylogger
              • 0x7b8c3:$hawkstr2: Dear HawkEye Customers!
              • 0x7cef8:$hawkstr2: Dear HawkEye Customers!
              • 0x7d04f:$hawkstr2: Dear HawkEye Customers!
              • 0x7d1b6:$hawkstr2: Dear HawkEye Customers!
              • 0x7b9e4:$hawkstr3: HawkEye Logger Details:
              Click to see the 65 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.0.Windows Update.exe.3d0000.10.unpackRAT_PredatorPainDetects PredatorPain RATKevin Breen <kevin@techanarchy.net>
              • 0x7b7df:$string1: holderwb.txt
              • 0x7b7fb:$string1: holderwb.txt
              • 0x7b961:$string3: There is a file attached to this email
              • 0x7bf35:$string4: screens\screenshot
              • 0x7a364:$string5: Disablelogger
              • 0x7a30e:$string6: \pidloc.txt
              • 0x79e1c:$string7: clearie
              • 0x79e34:$string8: clearff
              • 0x7a5c5:$string9: emails should be sent to you shortly
              • 0x7aad9:$string11: open=Sys.exe
              • 0x7a326:$ver1: PredatorLogger
              • 0x7a9a8:$ver3: Predator Pain
              • 0x7b79b:$ver3: Predator Pain
              • 0x7b910:$ver3: Predator Pain
              • 0x7bb27:$ver3: Predator Pain
              8.0.Windows Update.exe.3d0000.10.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
              • 0x615f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
              8.0.Windows Update.exe.3d0000.10.unpackJoeSecurity_PredatorPainRATYara detected PredatorPainRATKevin Breen <kevin@techanarchy.net>
                8.0.Windows Update.exe.3d0000.10.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  8.0.Windows Update.exe.3d0000.10.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    Click to see the 206 entries

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: System File Execution Location AnomalyShow sources
                    Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\aaVb1xEmrd.exe' , ParentImage: C:\Users\user\Desktop\aaVb1xEmrd.exe, ParentProcessId: 2432, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , ProcessId: 4280
                    Sigma detected: Suspicious Svchost ProcessShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\aaVb1xEmrd.exe' , ParentImage: C:\Users\user\Desktop\aaVb1xEmrd.exe, ParentProcessId: 2432, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , ProcessId: 4280
                    Sigma detected: PowerShell Script Run in AppDataShow sources
                    Source: Process startedAuthor: Florian Roth, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' , CommandLine: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe, NewProcessName: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe, OriginalFileName: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentProcessId: 4280, ProcessCommandLine: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' , ProcessId: 6256
                    Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
                    Source: Process startedAuthor: vburov: Data: Command: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\aaVb1xEmrd.exe' , ParentImage: C:\Users\user\Desktop\aaVb1xEmrd.exe, ParentProcessId: 2432, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , ProcessId: 4280

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: aaVb1xEmrd.exeVirustotal: Detection: 69%Perma Link
                    Source: aaVb1xEmrd.exeMetadefender: Detection: 28%Perma Link
                    Source: aaVb1xEmrd.exeReversingLabs: Detection: 74%
                    Antivirus / Scanner detection for submitted sampleShow sources
                    Source: aaVb1xEmrd.exeAvira: detected
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeMetadefender: Detection: 60%Perma Link
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeReversingLabs: Detection: 85%
                    Machine Learning detection for sampleShow sources
                    Source: aaVb1xEmrd.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeJoe Sandbox ML: detected
                    Source: 7.2.iExplorer.exe.6d0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 7.2.iExplorer.exe.6d0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 5.0.taskhost.exe.9c0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 5.0.taskhost.exe.9c0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 10.0.svchost.exe.bc0000.0.unpackAvira: Label: TR/Spy.Gen
                    Source: 8.0.Windows Update.exe.3d0000.4.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 8.0.Windows Update.exe.3d0000.4.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 8.0.Windows Update.exe.3d0000.10.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 8.0.Windows Update.exe.3d0000.10.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 7.0.iExplorer.exe.6d0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 7.0.iExplorer.exe.6d0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 4.0.svchost.exe.f30000.0.unpackAvira: Label: TR/Spy.Gen
                    Source: 19.0.svchost.exe.320000.0.unpackAvira: Label: TR/Spy.Gen
                    Source: 5.2.taskhost.exe.9c0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 5.2.taskhost.exe.9c0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 8.0.Windows Update.exe.3d0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 8.0.Windows Update.exe.3d0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 8.2.Windows Update.exe.3d0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 8.2.Windows Update.exe.3d0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: aaVb1xEmrd.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll
                    Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\SYSTEM32\winnlsres.dlls.pdb source: svchost.exe, 0000000A.00000002.490336011.00000000010A9000.00000004.00000001.sdmp
                    Source: Binary string: symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: System.Windows.Forms.pdb5c5619 source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
                    Source: Binary string: mscorlib.pdbndows Update.exe source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\mscorlib.pdbd source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: rlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: 1?pC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Windows.Forms.pdbl source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
                    Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe, vbc.exe, 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: ws\System.Windows.Forms.pdbpdbrms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb.p source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\System.Windows.Forms.pdbsys source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: kC:\Windows\dll\System.Windows.Forms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp
                    Source: taskhost.exeBinary or memory string: [autorun]
                    Source: taskhost.exeBinary or memory string: autorun.inf
                    Source: iExplorer.exeBinary or memory string: [autorun]
                    Source: iExplorer.exeBinary or memory string: autorun.inf
                    Source: Windows Update.exeBinary or memory string: [autorun]
                    Source: Windows Update.exeBinary or memory string: autorun.inf
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\CureMe\
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_00405C6C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_004052DC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_004026B9 FindFirstFileA,
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then call 05201B20h
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then jmp 05201A73h
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then jmp 05201A73h
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then call 05201B20h
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then mov esp, ebp
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then call 05201B20h
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]

                    Networking:

                    barindex
                    System process connects to network (likely due to code injection or exploit)Show sources
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeDomain query: smtp.mail.ru
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeNetwork Connect: 94.100.180.160 587
                    May check the online IP address of the machineShow sources
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficTCP traffic: 192.168.2.3:49711 -> 94.100.180.160:587
                    Source: global trafficTCP traffic: 192.168.2.3:49711 -> 94.100.180.160:587
                    Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.geotrust.com/GeoTrustRSACA2018.crt0
                    Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmpString found in binary or memory: http://cdp.geotrust.com/GeoTrustRSACA2018.crl0L
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000002.313966504.0000000006904000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: svchost.exe, 0000000D.00000002.491272541.000001990D615000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: svchost.exe, 0000000D.00000002.491272541.000001990D615000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                    Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000002.313966504.0000000006904000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                    Source: svchost.exe, 0000000D.00000002.491350262.000001990D649000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                    Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmpString found in binary or memory: http://status.geotrust.com0=
                    Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeString found in binary or memory: http://whatismyipaddress.com/
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: taskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: taskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com_
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: taskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlt
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: iExplorer.exe, 00000007.00000002.250883500.00000000010B8000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comW
                    Source: iExplorer.exe, 00000007.00000002.250883500.00000000010B8000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
                    Source: taskhost.exe, 00000005.00000003.235933696.000000000574B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoL
                    Source: taskhost.exe, 00000005.00000003.235933696.000000000574B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrsh
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: taskhost.exe, 00000005.00000003.231707810.0000000005772000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: taskhost.exe, 00000005.00000003.231021953.000000000576E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/P
                    Source: iExplorer.exe, 00000007.00000003.231598313.00000000057BC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/T
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: taskhost.exe, 00000005.00000003.231408705.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn1
                    Source: taskhost.exe, 00000005.00000003.231707810.0000000005772000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnE
                    Source: taskhost.exe, 00000005.00000003.231488771.0000000005771000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnO
                    Source: taskhost.exe, 00000005.00000003.231545876.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cntL
                    Source: iExplorer.exe, 00000007.00000003.231598313.00000000057BC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnz
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: svchost.exeString found in binary or memory: http://www.hackforums.net/member.php
                    Source: svchost.exe, 00000004.00000002.266893331.00000000039C4000.00000004.00000001.sdmpString found in binary or memory: http://www.hackforums.net/member.php?action=3Dprofile&uid=3D177092).=
                    Source: svchost.exe, 00000004.00000002.259142948.0000000000F32000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000000.254608825.0000000000BC2000.00000002.00020000.sdmp, svchost.exe, 00000013.00000000.267457896.0000000000322000.00000002.00020000.sdmpString found in binary or memory: http://www.hackforums.net/member.php?action=profile&uid=177092).
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp, taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/16
                    Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
                    Source: taskhost.exe, 00000005.00000003.232528224.000000000574B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Versh
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Vet
                    Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0rsh
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c
                    Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/z
                    Source: taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/phy/
                    Source: taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
                    Source: vbc.exe, 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                    Source: iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: taskhost.exe, 00000005.00000003.232159632.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comO
                    Source: taskhost.exe, 00000005.00000003.232159632.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: taskhost.exe, 00000005.00000003.235558162.0000000005770000.00000004.00000001.sdmp, taskhost.exe, 00000005.00000003.235337554.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                    Source: taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: taskhost.exe, 00000005.00000003.231928279.0000000005770000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: svchost.exe, 00000004.00000002.266303126.00000000039A2000.00000004.00000001.sdmpString found in binary or memory: https://biz.mail.ru)
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: Windows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: https://tamina212.000webhostapp.com/data.php
                    Source: svchost.exe, 00000004.00000002.270937133.000000001DA0C000.00000004.00000001.sdmp, Windows Update.exe, 00000008.00000002.313966504.0000000006904000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490119610.000000000108C000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: unknownDNS traffic detected: queries for: smtp.mail.ru
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_02AFA09A recv,
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED
                    Installs a global keyboard hookShow sources
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\svchost.exe
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\taskhost.exe
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeWindows user hook set: 0 keyboard low level C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeWindows user hook set: 0 keyboard low level C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                    Contains functionality to log keystrokes (.Net Source)Show sources
                    Source: taskhost.exe.1.dr, Form1.cs.Net Code: HookKeyboard
                    Source: iExplorer.exe.1.dr, Form1.cs.Net Code: HookKeyboard
                    Source: WindowsUpdate.exe.5.dr, Form1.cs.Net Code: HookKeyboard
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: Windows Update.exe.7.dr, Form1.cs.Net Code: HookKeyboard
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_00404EA7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary:

                    barindex
                    Yara detected PredatorPainRATShow sources
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPEDMatched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPEDMatched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_0040686C
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_00406095
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_004046B8
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_00007FFAEE5E3DDC
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009CD426
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009DD5AE
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009CD523
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009CD6C4
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009D7646
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A029BE
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A06AF4
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A2ABFC
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A23CBE
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A23C4D
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A23DC0
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A23D2F
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009CED03
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009CCF92
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009DAFA6
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05208D68
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05205758
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05206048
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05207098
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05205753
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05208D5F
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05201D98
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05207093
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_009FC7BC
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006FF0FC
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006DC162
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006DC25F
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006EC2EA
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006E6382
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006DC400
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_007116FA
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_00715830
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_00739938
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_007329FA
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_00732989
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_00732A6B
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006DDA3F
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_00732AFC
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006E9CE2
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006DBCCE
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_0070B4F8
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_02950D58
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003FF0FC
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003DC162
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003DC25F
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003EC2EA
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003E6382
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003DC400
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_004116FA
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_00415830
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_00439938
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_004329FA
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_00432989
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003DDA3F
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_00432A6B
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_00432AFC
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003E9CE2
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_003DBCCE
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04D64470
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_0040B4F8
                    Source: MULTIBOT_NEWW.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: taskhost.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: taskhost.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: taskhost.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: iExplorer.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: WindowsUpdate.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: WindowsUpdate.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: WindowsUpdate.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Windows Update.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: security.dll
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: security.dll
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeSection loaded: security.dll
                    Source: aaVb1xEmrd.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.2.taskhost.exe.311411c.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.2.iExplorer.exe.2e4bf0c.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.2b89e50.14.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.2.Windows Update.exe.2b89e50.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.2b89ea8.8.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPEDMatched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPEDMatched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_0040315D EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: String function: 00A0BA9D appears 36 times
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: String function: 003EBF1F appears 42 times
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: String function: 0041A7D9 appears 36 times
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: String function: 0071A7D9 appears 36 times
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05295B1E NtWriteVirtualMemory,
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05295A76 NtResumeThread,
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_0529548A NtQuerySystemInformation,
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_0529545C NtQuerySystemInformation,
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05295AF1 NtWriteVirtualMemory,
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E06ABA NtResumeThread,
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E05266 NtQuerySystemInformation,
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E06B62 NtWriteVirtualMemory,
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E0522C NtQuerySystemInformation,
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E06B35 NtWriteVirtualMemory,
                    Source: aaVb1xEmrd.exe, 00000001.00000002.229466151.0000000000409000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameMicrosoft.exe4 vs aaVb1xEmrd.exe
                    Source: MULTIBOT_NEWW.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: aaVb1xEmrd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows FirewallJump to behavior
                    Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@45/38@8/4
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: WindowsUpdate.exe.5.dr, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: taskhost.exe.1.dr, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: MULTIBOT_NEWW.exe, 00000003.00000002.489293811.0000000000418000.00000004.00020000.sdmpBinary or memory string: bA*\AD:\1. alat hacking\buat\projek vb\baru\MultiBotNew.vbp
                    Source: MULTIBOT_NEWW.exeBinary or memory string: A*\AD:\1. alat hacking\buat\projek vb\baru\MultiBotNew.vbp
                    Source: aaVb1xEmrd.exeVirustotal: Detection: 69%
                    Source: aaVb1xEmrd.exeMetadefender: Detection: 28%
                    Source: aaVb1xEmrd.exeReversingLabs: Detection: 74%
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile read: C:\Users\user\Desktop\aaVb1xEmrd.exeJump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\aaVb1xEmrd.exe 'C:\Users\user\Desktop\aaVb1xEmrd.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe 'C:\Users\user\AppData\Local\Temp\svchost.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\taskhost.exe 'C:\Users\user\AppData\Local\Temp\taskhost.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\iExplorer.exe 'C:\Users\user\AppData\Local\Temp\iExplorer.exe'
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 176
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 176
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
                    Source: unknownProcess created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336
                    Source: unknownProcess created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1096
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1168
                    Source: unknownProcess created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe 'C:\Users\user\AppData\Local\Temp\svchost.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\taskhost.exe 'C:\Users\user\AppData\Local\Temp\taskhost.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\iExplorer.exe 'C:\Users\user\AppData\Local\Temp\iExplorer.exe'
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05294E52 AdjustTokenPrivileges,
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05294E1B AdjustTokenPrivileges,
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E05196 AdjustTokenPrivileges,
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E0515F AdjustTokenPrivileges,
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile created: C:\Users\user\AppData\Local\Temp\nsk8DE2.tmpJump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_004020A3 CoCreateInstance,MultiByteToWideChar,
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_004041ED GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: taskhost.exe, iExplorer.exe, Windows Update.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: svchost.exe.1.dr, adiGWFtrqf.csBase64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
                    Source: taskhost.exe.1.dr, Form1.csBase64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: iExplorer.exe.1.dr, Form1.csBase64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
                    Source: WIN32.exe.4.dr, adiGWFtrqf.csBase64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
                    Source: svchost.exe.4.dr, adiGWFtrqf.csBase64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
                    Source: 4.0.svchost.exe.f30000.0.unpack, adiGWFtrqf.csBase64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
                    Source: 4.2.svchost.exe.f30000.0.unpack, adiGWFtrqf.csBase64 encoded string: 'm64gwmR0HBqjDHzUrBhPfb/YC2Q2XbDWy24DSgcmkigYit4uivnhFo8VijDcPEgMGKep3qNg8lmXDOdbYfdioJ1Cf5SzrnsaxFMaAqef5bJ7ERTgY6Est0zQmlSWXanRQ5m2Peec5ewf8N4pRDrRp0roFQ3bKb2rZ73lbPAEvhSFalCDylU4alwwQgSgHez89kRQyeAOUcd4CRimSMh14A=='
                    Source: WindowsUpdate.exe.5.dr, Form1.csBase64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.csBase64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.csBase64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi/qgHH6xeH3nE5Cxy23dNk6dWXT4ZxIlJMClvYdNCBtl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: Windows Update.exe.7.dr, Form1.csBase64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.csBase64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.csBase64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.csBase64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.csBase64 encoded string: 'kbQnaMAqc4rJo1mT4B7RhwJe+fGXJpsZbpD3A8cRLpF8r37V6hwFJclFmi3TuPcV', 'jrjjihHgoFSS2LreSmIPt+dvMS9SWwm2bpCpzwButM0keLFgPXou3jD1/WWxI/SyPaT8uEnh2ZPIQJkcNfdo9K9mbud854hZXCXmEexYTBZThg83UWFB79E6a49yUNIf'
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6292
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6280
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\0w96J1537j
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\iExplorer.exe
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\iExplorer.exe
                    Source: svchost.exe.1.dr, adiGWFtrqf.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: taskhost.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: taskhost.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: taskhost.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: taskhost.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: iExplorer.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: iExplorer.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: iExplorer.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: iExplorer.exe.1.dr, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeAutomated click: OK
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeAutomated click: Continue
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll
                    Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\SYSTEM32\winnlsres.dlls.pdb source: svchost.exe, 0000000A.00000002.490336011.00000000010A9000.00000004.00000001.sdmp
                    Source: Binary string: symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: System.Windows.Forms.pdb5c5619 source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
                    Source: Binary string: mscorlib.pdbndows Update.exe source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\mscorlib.pdbd source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: rlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: 1?pC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Windows.Forms.pdbl source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe
                    Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: taskhost.exe, iExplorer.exe, Windows Update.exe, vbc.exe, 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: ws\System.Windows.Forms.pdbpdbrms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb.p source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\System.Windows.Forms.pdbsys source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000008.00000000.277693996.0000000000A27000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000008.00000000.287657799.0000000008F0A000.00000004.00000001.sdmp
                    Source: Binary string: kC:\Windows\dll\System.Windows.Forms.pdb source: svchost.exe, 0000000A.00000002.491098692.0000000001502000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\System.pdb source: svchost.exe, 0000000A.00000002.491122955.0000000001513000.00000004.00000001.sdmp

                    Data Obfuscation:

                    barindex
                    .NET source code contains potential unpackerShow sources
                    Source: taskhost.exe.1.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: taskhost.exe.1.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: taskhost.exe.1.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: taskhost.exe.1.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: iExplorer.exe.1.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: iExplorer.exe.1.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: iExplorer.exe.1.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: iExplorer.exe.1.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: WindowsUpdate.exe.5.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: WindowsUpdate.exe.5.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: WindowsUpdate.exe.5.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: WindowsUpdate.exe.5.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Windows Update.exe.7.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Windows Update.exe.7.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Windows Update.exe.7.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Windows Update.exe.7.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A30712 push eax; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A30712 push eax; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A0B87E push ecx; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A0BA9D push eax; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_00A0BA9D push eax; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_02B07EF2 push eax; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_052049A9 push edx; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_052049AB push edx; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_052049AF push edx; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204B87 push esi; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204B8B push edi; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204830 push ecx; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204833 push ecx; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05200016 push es; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204661 push eax; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204663 push eax; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204A59 push ebx; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204AA9 push ebx; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204AE7 push esp; ret
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05204ADF push ebx; ret
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_0073F44E push eax; ret
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_0073F44E push eax; ret
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_0071A5BA push ecx; ret
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_0071A7D9 push eax; ret
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_0071A7D9 push eax; ret
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_0043F44E push eax; ret
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_0043F44E push eax; ret
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_0041A5BA push ecx; ret
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_0041A7D9 push eax; ret
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_0041A7D9 push eax; ret
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_00CA6063 pushad ; retf 0000h
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_00405CAA GetModuleHandleA,LoadLibraryA,GetProcAddress,
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.57942816891

                    Persistence and Installation Behavior:

                    barindex
                    Drops PE files with benign system namesShow sources
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exeJump to dropped file
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile created: C:\Users\user\AppData\Local\Temp\taskhost.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeFile created: C:\Users\user\AppData\Roaming\Windows Update.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeFile created: C:\Users\user\AppData\Local\Temp\iExplorer.exeJump to dropped file

                    Boot Survival:

                    barindex
                    Creates multiple autostart registry keysShow sources
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run server host protocol windowsJump to behavior
                    Creates an undocumented autostart registry key Show sources
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{663zMYl1-971G-Rz79-18o0-8F397xVI0j0L} stubpathJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run server host protocol windowsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run server host protocol windowsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run server host protocol windowsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run server host protocol windowsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Changes the view of files in windows explorer (hidden files and folders)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: svchost.exe, svchost.exe, 0000000A.00000002.491311478.0000000003641000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.273163025.0000000002C41000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: svchost.exe, 00000004.00000002.259142948.0000000000F32000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000000.254608825.0000000000BC2000.00000002.00020000.sdmp, svchost.exe, 00000013.00000000.267457896.0000000000322000.00000002.00020000.sdmpBinary or memory string: SBIEDLL.DLL+SOFTWARE\VALVE\STEAM\
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 4884Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 4884Thread sleep time: -200000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 4884Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 3644Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 3136Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 476Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 5164Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 3016Thread sleep time: -60000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 6276Thread sleep count: 1079 > 30
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 1748Thread sleep count: 1121 > 30
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe TID: 5276Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe TID: 464Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6200Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6672Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6688Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6688Thread sleep time: -200000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6692Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6688Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7100Thread sleep time: -180000s >= -30000s
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696Thread sleep time: -2600000s >= -30000s
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696Thread sleep time: -200000s >= -30000s
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6696Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\System32\svchost.exe TID: 6496Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe TID: 6812Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 180000
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeWindow / User API: threadDelayed 1079
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeWindow / User API: threadDelayed 1121
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeWindow / User API: threadDelayed 560
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_006D3EC6 sldt word ptr [eax]
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: GetAdaptersInfo,
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: GetAdaptersInfo,
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeThread delayed: delay time: 120000
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeThread delayed: delay time: 140000
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeThread delayed: delay time: 60000
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 120000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 120000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 180000
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeThread delayed: delay time: 100000
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeThread delayed: delay time: 100000
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeThread delayed: delay time: 100000
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\CureMe\
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\gtry6wy5u54w64get63r3\ty34t43t4t4te45634\
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\tg43gey4wk5l4jw56k34j5l4kjlsw56jkwl6j\gtrewt543w5j4hktjh4lk5qlktresty3\
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Vaccine\4535425425342grt45454s5s4\
                    Source: svchost.exe, 0000000D.00000002.491370590.000001990D661000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                    Source: svchost.exe, 0000000D.00000002.490046729.0000019908029000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                    Source: svchost.exe, 00000004.00000002.262341975.00000000014AE000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.490695793.00000000010E9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_00405C6C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_004052DC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_004026B9 FindFirstFileA,
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeCode function: 1_2_00405CAA GetModuleHandleA,LoadLibraryA,GetProcAddress,
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPort
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess token adjusted: Debug
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05207920 LdrInitializeThunk,
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    System process connects to network (likely due to code injection or exploit)Show sources
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeDomain query: smtp.mail.ru
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeNetwork Connect: 94.100.180.160 587
                    Allocates memory in foreign processesShow sources
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Sample uses process hollowing techniqueShow sources
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Writes to foreign memory regionsShow sources
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                    .NET source code references suspicious native API functionsShow sources
                    Source: taskhost.exe.1.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: taskhost.exe.1.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: iExplorer.exe.1.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: iExplorer.exe.1.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: WindowsUpdate.exe.5.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: WindowsUpdate.exe.5.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 5.0.taskhost.exe.9c0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 5.2.taskhost.exe.9c0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: Windows Update.exe.7.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: Windows Update.exe.7.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 7.2.iExplorer.exe.6d0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 7.0.iExplorer.exe.6d0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 8.0.Windows Update.exe.3d0000.4.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 8.0.Windows Update.exe.3d0000.10.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe 'C:\Users\user\AppData\Local\Temp\svchost.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\taskhost.exe 'C:\Users\user\AppData\Local\Temp\taskhost.exe'
                    Source: C:\Users\user\Desktop\aaVb1xEmrd.exeProcess created: C:\Users\user\AppData\Local\Temp\iExplorer.exe 'C:\Users\user\AppData\Local\Temp\iExplorer.exe'
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2200
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336
                    Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmpBinary or memory string: edProgram Manager
                    Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmpBinary or memory string: Program Manager(
                    Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmpBinary or memory string: Program Manager
                    Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (11:09:22 PM) -----|
                    Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (12:19:16 PM) -----|
                    Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (10:59:22 PM) -----|
                    Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (9:36:07 AM) -----|
                    Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (12:22:36 PM) -----|
                    Source: svchost.exe, 0000000A.00000002.492263729.0000000003CFD000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (12:30:56 PM) -----|
                    Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (9:47:47 AM) -----|
                    Source: svchost.exe, 0000000A.00000002.491966567.0000000003ACF000.00000004.00000001.sdmpBinary or memory string: |-----Program Manager (9:39:27 AM) -----|
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Lowering of HIPS / PFW / Operating System Security Settings:

                    barindex
                    Disables Windows system restoreShow sources
                    Source: C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore DisableSR
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: taskhost.exe, 00000005.00000002.321548245.00000000010D4000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected MailPassViewShow sources
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.a1fa72.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3b67e00.15.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.72e7ae.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3b67e00.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3b67e00.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.42e7ae.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.72e7ae.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.72e7ae.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.40b7e00.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.72e7ae.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3b67e00.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3b67e00.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.42e7ae.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.40b7e00.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.3.taskhost.exe.7421c02.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3b67e00.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.a1fa72.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.42e7ae.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.283523438.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.293259909.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: iExplorer.exe PID: 1352, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5204, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6912, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Yara detected WebBrowserPassView password recovery toolShow sources
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d8949.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.40d0240.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.iExplorer.exe.6d6f44.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d8949.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.40d0240.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.40b7e00.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d8949.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d6f44.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d8949.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c9c0d.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.iExplorer.exe.6d6f44.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c9c0d.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d8949.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Windows Update.exe.3d6f44.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Windows Update.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.286698882.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED
                    Tries to steal Instant Messenger accounts or passwordsShow sources
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

                    Remote Access Functionality:

                    barindex
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 5.2.taskhost.exe.30d936c.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.a1fa72.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.a1fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c8208.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.3.taskhost.exe.7421c02.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c8208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.taskhost.exe.9c9c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: taskhost.exe PID: 4548, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\taskhost.exe, type: DROPPED
                    Detected HawkEye RatShow sources
                    Source: taskhost.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                    Source: taskhost.exeString found in binary or memory: HawkEyeKeylogger
                    Source: taskhost.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                    Source: taskhost.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: ar'&HawkEye_Keylogger_Execution_Confirmed_
                    Source: taskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: ar#"HawkEye_Keylogger_Stealer_Records_
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05290A8E listen,
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05290E9E bind,
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05290E6B bind,
                    Source: C:\Users\user\AppData\Local\Temp\taskhost.exeCode function: 5_2_05290A50 listen,
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_04FD0FC6 bind,
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_04FD0A8E listen,
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_04FD0F93 bind,
                    Source: C:\Users\user\AppData\Local\Temp\iExplorer.exeCode function: 7_2_04FD0A50 listen,
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E00A8E listen,
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E00FC6 bind,
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E00A50 listen,
                    Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 8_2_04E00F93 bind,

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Replication Through Removable Media1Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools11Input Capture21Peripheral Device Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                    Default AccountsNative API11Registry Run Keys / Startup Folder21Access Token Manipulation1Deobfuscate/Decode Files or Information11Credentials in Registry1File and Directory Discovery3Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationInhibit System Recovery1
                    Domain AccountsShared Modules1Logon Script (Windows)Process Injection512Obfuscated Files or Information41Credentials In Files1System Information Discovery25SMB/Windows Admin SharesInput Capture21Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder21Software Packing13NTDSQuery Registry1Distributed Component Object ModelClipboard Data2Scheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSecurity Software Discovery241SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading111Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol12Jamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion51DCSyncVirtualization/Sandbox Evasion51Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection512/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingSystem Network Configuration Discovery11Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 478309 Sample: aaVb1xEmrd Startdate: 06/09/2021 Architecture: WINDOWS Score: 100 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for dropped file 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 15 other signatures 2->92 8 aaVb1xEmrd.exe 12 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        process3 dnsIp4 60 C:\Users\user\AppData\Local\...\taskhost.exe, PE32 8->60 dropped 62 C:\Users\user\AppData\Local\...\svchost.exe, PE32 8->62 dropped 64 C:\Users\user\AppData\Local\...\iExplorer.exe, PE32 8->64 dropped 66 C:\Users\user\AppData\...\MULTIBOT_NEWW.exe, PE32 8->66 dropped 110 Drops PE files with benign system names 8->110 17 svchost.exe 6 22 8->17         started        22 taskhost.exe 16 7 8->22         started        24 iExplorer.exe 8 8->24         started        26 MULTIBOT_NEWW.exe 8->26         started        112 Installs a global keyboard hook 12->112 84 127.0.0.1 unknown unknown 14->84 file5 signatures6 process7 dnsIp8 68 smtp.mail.ru 94.100.180.160, 49711, 49718, 49719 MAILRU-ASMailRuRU Russian Federation 17->68 70 192.168.2.1 unknown unknown 17->70 52 C:\Users\user\AppData\Roaming\...\WIN32.exe, PE32 17->52 dropped 54 C:\Users\gghfgh\AppData\...\svchost.exe, PE32 17->54 dropped 94 Antivirus detection for dropped file 17->94 96 Creates an undocumented autostart registry key 17->96 98 Machine Learning detection for dropped file 17->98 106 2 other signatures 17->106 28 svchost.exe 17->28         started        72 whatismyipaddress.com 104.16.154.36, 49712, 49715, 80 CLOUDFLARENETUS United States 22->72 74 160.192.10.0.in-addr.arpa 22->74 56 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 22->56 dropped 100 May check the online IP address of the machine 22->100 102 Changes the view of files in windows explorer (hidden files and folders) 22->102 104 Creates multiple autostart registry keys 22->104 108 4 other signatures 22->108 32 dw20.exe 22->32         started        35 vbc.exe 22->35         started        37 vbc.exe 22->37         started        58 C:\Users\user\AppData\...\Windows Update.exe, PE32 24->58 dropped 39 Windows Update.exe 24->39         started        file9 signatures10 process11 dnsIp12 76 smtp.mail.ru 28->76 114 Antivirus detection for dropped file 28->114 116 System process connects to network (likely due to code injection or exploit) 28->116 118 Multi AV Scanner detection for dropped file 28->118 126 2 other signatures 28->126 50 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 32->50 dropped 41 WerFault.exe 35->41         started        43 WerFault.exe 37->43         started        78 whatismyipaddress.com 39->78 80 smtp.mail.ru 39->80 82 160.192.10.0.in-addr.arpa 39->82 120 Writes to foreign memory regions 39->120 122 Allocates memory in foreign processes 39->122 124 Sample uses process hollowing technique 39->124 128 2 other signatures 39->128 45 vbc.exe 39->45         started        48 dw20.exe 39->48         started        file13 signatures14 process15 signatures16 130 Tries to steal Instant Messenger accounts or passwords 45->130 132 Tries to steal Mail credentials (via file access) 45->132

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    aaVb1xEmrd.exe70%VirustotalBrowse
                    aaVb1xEmrd.exe31%MetadefenderBrowse
                    aaVb1xEmrd.exe74%ReversingLabsByteCode-MSIL.Trojan.Generic
                    aaVb1xEmrd.exe100%AviraHEUR/AGEN.1112163
                    aaVb1xEmrd.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\svchost.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Roaming\Windows Update.exe100%AviraTR/AD.MExecute.lzrac
                    C:\Users\user\AppData\Roaming\Windows Update.exe100%AviraSPR/Tool.MailPassView.473
                    C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Local\Temp\iExplorer.exe100%AviraTR/AD.MExecute.lzrac
                    C:\Users\user\AppData\Local\Temp\iExplorer.exe100%AviraSPR/Tool.MailPassView.473
                    C:\Users\user\AppData\Local\Temp\taskhost.exe100%AviraTR/AD.MExecute.lzrac
                    C:\Users\user\AppData\Local\Temp\taskhost.exe100%AviraSPR/Tool.MailPassView.473
                    C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%AviraTR/AD.MExecute.lzrac
                    C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%AviraSPR/Tool.MailPassView.473
                    C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\svchost.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Windows Update.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\iExplorer.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\taskhost.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%Joe Sandbox ML
                    C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe100%Joe Sandbox ML
                    C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe71%MetadefenderBrowse
                    C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe86%ReversingLabsByteCode-MSIL.Spyware.Generic

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    7.2.iExplorer.exe.6d0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    7.2.iExplorer.exe.6d0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    5.0.taskhost.exe.9c0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    5.0.taskhost.exe.9c0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    10.0.svchost.exe.bc0000.0.unpack100%AviraTR/Spy.GenDownload File
                    8.0.Windows Update.exe.3d0000.4.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    8.0.Windows Update.exe.3d0000.4.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    8.0.Windows Update.exe.3d0000.10.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    8.0.Windows Update.exe.3d0000.10.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    7.0.iExplorer.exe.6d0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    7.0.iExplorer.exe.6d0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    4.0.svchost.exe.f30000.0.unpack100%AviraTR/Spy.GenDownload File
                    19.0.svchost.exe.320000.0.unpack100%AviraTR/Spy.GenDownload File
                    5.2.taskhost.exe.9c0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    5.2.taskhost.exe.9c0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    8.0.Windows Update.exe.3d0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    8.0.Windows Update.exe.3d0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    8.2.Windows Update.exe.3d0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    8.2.Windows Update.exe.3d0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.founder.com.cn/cnO0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.comoL0%Avira URL Cloudsafe
                    http://www.fontbureau.comrsh0%Avira URL Cloudsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    https://biz.mail.ru)0%Avira URL Cloudsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Y0rsh0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cnE0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.de0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/phy/0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/Versh0%Avira URL Cloudsafe
                    http://www.carterandcone.com_0%Avira URL Cloudsafe
                    http://www.carterandcone.comlt0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/G0%URL Reputationsafe
                    http://www.founder.com.cn/cnz0%Avira URL Cloudsafe
                    http://www.fontbureau.comW0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.founder.com.cn/cn/T0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/z0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/P0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/;0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
                    http://www.founder.com.cn/cn10%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/160%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.comlvfet0%URL Reputationsafe
                    http://www.tiro.comO0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.founder.com.cn/cntL0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/c0%URL Reputationsafe
                    http://www.tiro.comic0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Vet0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.mail.ru
                    		94.100.180.160
                    		truefalse
                      		high
                      whatismyipaddress.com
                      		104.16.154.36
                      		truefalse
                        		high
                        160.192.10.0.in-addr.arpa
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://whatismyipaddress.com/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.founder.com.cn/cnOtaskhost.exe, 00000005.00000003.231488771.0000000005771000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersGiExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                              		high
                              http://www.hackforums.net/member.php?action=profile&uid=177092).svchost.exe, 00000004.00000002.259142948.0000000000F32000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000000.254608825.0000000000BC2000.00000002.00020000.sdmp, svchost.exe, 00000013.00000000.267457896.0000000000322000.00000002.00020000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/?taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bThetaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.hackforums.net/member.php?action=3Dprofile&uid=3D177092).=svchost.exe, 00000004.00000002.266893331.00000000039C4000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.tiro.comiExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comoLtaskhost.exe, 00000005.00000003.235933696.000000000574B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designersiExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comrshtaskhost.exe, 00000005.00000003.235933696.000000000574B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.goodfont.co.kriExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://biz.mail.ru)svchost.exe, 00000004.00000002.266303126.00000000039A2000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.carterandcone.comtaskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://tamina212.000webhostapp.com/data.phpWindows Update.exe, 00000008.00000000.279304635.0000000002B61000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/Y0rshtaskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cnEtaskhost.exe, 00000005.00000003.231707810.0000000005772000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comtaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDtaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/cTheiExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmiExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comtaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://whatismyipaddress.com/-taskhost.exe, 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, iExplorer.exe, 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Windows Update.exe, 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmpfalse
                                            		high
                                            http://www.hackforums.net/member.phpsvchost.exefalse
                                              		high
                                              http://www.galapagosdesign.com/DPleaseiExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/)taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://login.yahoo.com/config/logintaskhost.exe, iExplorer.exe, Windows Update.exefalse
                                                		high
                                                http://www.fonts.comtaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krtaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.site.com/logs.phptaskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.urwpp.deDPleasetaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.nirsoft.net/vbc.exe, 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmpfalse
                                                      		high
                                                      http://www.urwpp.detaskhost.exe, 00000005.00000003.235558162.0000000005770000.00000004.00000001.sdmp, taskhost.exe, 00000005.00000003.235337554.0000000005770000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.zhongyicts.com.cntaskhost.exe, 00000005.00000003.231928279.0000000005770000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.sakkal.comiExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/phy/taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/Vershtaskhost.exe, 00000005.00000003.232528224.000000000574B000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.apache.org/licenses/LICENSE-2.0iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comtaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.carterandcone.com_taskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		low
                                                          http://www.carterandcone.comlttaskhost.exe, 00000005.00000003.232245246.0000000005770000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/Gtaskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://whatismyipaddress.comtaskhost.exe, 00000005.00000002.322122044.00000000030B1000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cnziExplorer.exe, 00000007.00000003.231598313.00000000057BC000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.fontbureau.comWiExplorer.exe, 00000007.00000002.250883500.00000000010B8000.00000004.00000040.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/jp/taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.founder.com.cn/cn/TiExplorer.exe, 00000007.00000003.231598313.00000000057BC000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/jp/ztaskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.founder.com.cn/cn/Ptaskhost.exe, 00000005.00000003.231021953.000000000576E000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.carterandcone.comltaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/;taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNtaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.jiyu-kobo.co.jp/ztaskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cn1taskhost.exe, 00000005.00000003.231408705.0000000005770000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/16taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cntaskhost.exe, 00000005.00000003.231707810.0000000005772000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-jones.htmltaskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.comlvfetiExplorer.exe, 00000007.00000002.250883500.00000000010B8000.00000004.00000040.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.tiro.comOtaskhost.exe, 00000005.00000003.232159632.0000000005770000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.jiyu-kobo.co.jp/taskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmp, taskhost.exe, 00000005.00000003.234152424.000000000574C000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers8taskhost.exe, 00000005.00000002.325663721.0000000006A02000.00000004.00000001.sdmp, iExplorer.exe, 00000007.00000002.254393822.0000000006A02000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://www.google.com/accounts/servicelogintaskhost.exe, iExplorer.exe, Windows Update.exefalse
                                                                    		high
                                                                    http://www.founder.com.cn/cntLtaskhost.exe, 00000005.00000003.231545876.0000000005751000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.jiyu-kobo.co.jp/ctaskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.tiro.comictaskhost.exe, 00000005.00000003.232159632.0000000005770000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.jiyu-kobo.co.jp/Vettaskhost.exe, 00000005.00000003.233268599.000000000574A000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown

                                                                    Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    104.16.154.36
                                                                    		whatismyipaddress.comUnited States
                                                                    		13335CLOUDFLARENETUSfalse
                                                                    94.100.180.160
                                                                    		smtp.mail.ruRussian Federation
                                                                    		47764MAILRU-ASMailRuRUfalse

                                                                    Private

                                                                    IP
                                                                    192.168.2.1
                                                                    127.0.0.1

                                                                    General Information

                                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                                    Analysis ID:478309
                                                                    Start date:06.09.2021
                                                                    Start time:11:21:17
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 15m 20s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:light
                                                                    Sample file name:aaVb1xEmrd (renamed file extension from none to exe)
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                    Number of analysed new started processes analysed:40
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Detection:MAL
                                                                    Classification:mal100.phis.troj.spyw.evad.winEXE@45/38@8/4
                                                                    EGA Information:Failed
                                                                    HDC Information:
                                                                    • Successful, ratio: 11.7% (good quality ratio 9.7%)
                                                                    • Quality average: 62.4%
                                                                    • Quality standard deviation: 36.1%
                                                                    HCA Information:
                                                                    • Successful, ratio: 95%
                                                                    • Number of executed functions: 0
                                                                    • Number of non-executed functions: 0
                                                                    Cookbook Comments:
                                                                    • Adjust boot time
                                                                    • Enable AMSI
                                                                    Warnings:
                                                                    Show All
                                                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe
                                                                    • TCP Packets have been reduced to 100
                                                                    • Excluded IPs from analysis (whitelisted): 184.30.21.144, 20.42.65.92, 23.211.4.86, 20.189.173.22, 20.50.102.62, 20.189.173.20, 23.55.161.162, 23.55.161.142, 184.24.8.125, 20.199.120.182, 184.24.3.140, 20.82.209.104, 52.182.143.212, 23.216.77.208, 23.216.77.209, 40.112.88.60, 20.82.210.154
                                                                    • Excluded domains from analysis (whitelisted): onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e15275.g.akamaiedge.net, a1449.dscg2.akamai.net, arc.msn.com, cdn.onenote.net.edgekey.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, onedsblobprdcus15.centralus.cloudapp.azure.com, wildcard.weather.microsoft.com.edgekey.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, client.wns.windows.com, fs.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, tile-service.weather.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    11:22:24API Interceptor926x Sleep call for process: svchost.exe modified
                                                                    11:22:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run server host protocol windows C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    11:22:27API Interceptor5x Sleep call for process: taskhost.exe modified
                                                                    11:22:35API Interceptor23x Sleep call for process: Windows Update.exe modified
                                                                    11:22:36AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                    11:22:39API Interceptor3x Sleep call for process: WerFault.exe modified
                                                                    11:22:39API Interceptor4x Sleep call for process: dw20.exe modified
                                                                    11:22:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run server host protocol windows C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    11:22:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                    11:23:01AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run server host protocol windows C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    No context

                                                                    Domains

                                                                    No context

                                                                    ASN

                                                                    No context

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):4096
                                                                    Entropy (8bit):0.5975851327512959
                                                                    Encrypted:false
                                                                    SSDEEP:6:0FLk1GaD0JOCEfMuaaD0JOCEfMKQmD6tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:0aGaD0JcaaD0JwQQ6tAg/0bjSQJ
                                                                    MD5:D87796F366C70FF245EE50AC6D986702
                                                                    SHA1:18EF75524480ACB54EDD94C6649B4A98EBC38AB9
                                                                    SHA-256:D96C38CD97B679DA05AC6BFE6CA5E971802C213407780EA4E190668A9960D3AA
                                                                    SHA-512:107D0C23110F90BADB501CCD644971AD99185BE223FBDBFEE76B103D9256740A5D9463E68996847B74267F6379DEBFCB752E8BA94AD3C174FEA888BBD881EFED
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ......:{..(.....!....y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................!....y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0xebd9be4e, page size 16384, DirtyShutdown, Windows version 10.0
                                                                    Category:dropped
                                                                    Size (bytes):32768
                                                                    Entropy (8bit):0.09588615580835741
                                                                    Encrypted:false
                                                                    SSDEEP:12:X+sA0+NXO4blD2KlK5+sA0+NXO4blD2KlK:X+I3+I
                                                                    MD5:8D9FC6C34120DDC9EEA7B8B108D1E52E
                                                                    SHA1:62C0CDA550C8DBA877555389B59D43AB4F35EDEE
                                                                    SHA-256:D85849AD410CAF5DB73EE255A463C72BA4058EB3E96AB3FC20684176BE614C98
                                                                    SHA-512:0730F6677CDADEE365B524197E69961DD31B27521D3822F0B1B4D87C224D3C1DFA93AA800B3077C55A7543628628734E5E6DF46910C8C1E9262AAE9885C18616
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..N... ................e.f.3...w........................&..........w..!....y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.......................................................................................................................................................................................................................................X5."....y.a................Qm.a"....y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):8192
                                                                    Entropy (8bit):0.10820739268990756
                                                                    Encrypted:false
                                                                    SSDEEP:3:jZ/ll9EvHH5t7l/bJdAti/UTel/all:l/An5t7t4VmG
                                                                    MD5:5E6F02764C632E3A889D8DB681D43DFC
                                                                    SHA1:A739505085968FC5B82E0B4E66ED2A10DABF7B4A
                                                                    SHA-256:89304DD33D2A96013D8B95D81A323D61CA7CFEEF26C9132564B301C41B944F02
                                                                    SHA-512:24BFAA1AB9B0BC1EF44DC3317671B2A873533927DD31DE7435AC0F12B1A150383FF3435CDF57C092836B491BA27D21C716289E05851F38886519387670F60119
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: w5|......................................3...w.."....y.......w...............w.......w....:O.....w..................Qm.a"....y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_vbc.exe_29b1fd91934ca85fd856bebf7e23b59544bb3f14_6c16ead4_19baeb35\Report.wer
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):7832
                                                                    Entropy (8bit):3.7697654129894604
                                                                    Encrypted:false
                                                                    SSDEEP:192:IgpBKDT5HBUZMXQf9jY/u7s7S274ItE7GDBv:I6YD9BUZMXojY/u7s7X4ItEOp
                                                                    MD5:94A7FB9849AACBCB38DA210BD4A9A0E5
                                                                    SHA1:50DA047C42570B6CABECDCE1291C32ACF39AD5C7
                                                                    SHA-256:75DC3BF23E7EFC0C872E26F403688A070C8FDA1465257DDC3BAA47F2FF3F56DF
                                                                    SHA-512:5F0D884E4B56C2C0295A53F32AE53054AA20212DB8614ACC7E0D9A61EC95A8B8F74B3A8A96ED1486AEEFD255C948D23CEB70154C18A1AD63F87DA8D381AAECA2
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.5.4.2.6.1.5.6.1.8.6.4.5.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.5.4.2.6.1.5.8.0.9.2.6.7.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.c.4.e.c.f.7.-.a.a.f.7.-.4.8.6.7.-.9.2.4.8.-.f.5.b.8.3.3.4.1.3.5.9.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.8.8.6.4.d.1.-.b.4.7.9.-.4.8.2.b.-.9.4.0.b.-.b.f.b.b.4.d.9.e.1.8.6.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.b.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.b.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.9.4.-.0.0.0.1.-.0.0.1.7.-.0.0.4.c.-.9.9.2.7.4.c.a.3.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.7.8.7.d.9.a.6.e.c.3.f.2.6.2.e.8.b.7.1.d.1.9.a.c.1.5.7.c.2.a.2.8.6.a.0.f.5.9.d.d.!.v.b.c.
                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_vbc.exe_dbc95366787c6af920cbf43ce460525ddeedebbd_966227d3_198ee9cd\Report.wer
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):7830
                                                                    Entropy (8bit):3.7688031144285605
                                                                    Encrypted:false
                                                                    SSDEEP:192://XKUi28THBUZMXQf9jY/u7s7S274ItE7GDS:H6Ui2wBUZMXojY/u7s7X4ItEOS
                                                                    MD5:ABD2E2BFE051EC215B8B17037FE6FB2E
                                                                    SHA1:DCE114947B4707712A8C0BE4617F063DFA619984
                                                                    SHA-256:19BBEA37874789645FDA94F57A01209A8D93E4B594ED9889256BE5E7E8C7AC6D
                                                                    SHA-512:3D3A092B00D4C85037F37AB5D94D372BB5D5EB6AA0EC2B7FADD31A25FBABD0F99B9ED7D5A152E27CB4D45225E28FB9E6CD206070F4A8984651E123A782656D7E
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.5.4.2.6.1.5.6.0.7.7.0.8.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.5.4.2.6.1.5.7.9.8.3.3.3.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.c.4.f.c.7.5.-.f.a.b.6.-.4.5.4.a.-.a.c.5.f.-.f.1.3.9.9.e.b.1.9.0.b.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.9.6.1.7.b.3.-.1.4.2.7.-.4.8.8.f.-.8.0.1.4.-.d.d.7.9.b.6.b.5.c.3.3.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.b.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.b.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.8.8.-.0.0.0.1.-.0.0.1.7.-.e.f.9.d.-.8.2.2.7.4.c.a.3.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.7.8.7.d.9.a.6.e.c.3.f.2.6.2.e.8.b.7.1.d.1.9.a.c.1.5.7.c.2.a.2.8.6.a.0.f.5.9.d.d.!.v.b.c.
                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_windows update.e_c1d66a88935183ae141aa58ee4c87ad14e6f9fe7_00000000_1a1eea0c\Report.wer
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):17916
                                                                    Entropy (8bit):3.7508704111475843
                                                                    Encrypted:false
                                                                    SSDEEP:192:i9TMCyXaKsn9fbeN9M2v1zzvSXk0ZKjBIcQrlu/u7s7S274It0:8TM/aEdvh/slu/u7s7X4It0
                                                                    MD5:CA90459EF7765BC961354186FB661F50
                                                                    SHA1:A0EBC223F958677A5A2CB3A35C1C9BA3302B0B92
                                                                    SHA-256:66E4F2577080DA4AC723F71E68B967CCC503C1C013F873A7B0C830FC4017DBA8
                                                                    SHA-512:B3E9D7782171052CE98EF178F3475BC54B2DCBAE79F1A6A3B7C0612100CF09E844A240DAABCDE894D1D469536809BD8123438AD566C0A49FC74C04F0EEDCAC8A
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.5.4.2.6.1.5.6.7.8.9.7.1.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.5.4.2.6.1.5.7.8.5.2.2.1.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.7.c.3.e.7.d.-.c.2.7.1.-.4.6.e.e.-.a.b.e.7.-.f.9.7.2.6.9.f.9.0.4.9.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.i.c.r.o.s.o.f.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.5.4.-.0.0.0.1.-.0.0.1.7.-.9.4.1.7.-.3.e.2.5.4.c.a.3.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.d.c.2.2.0.b.8.c.0.1.0.a.8.d.3.0.b.9.9.7.3.7.8.f.6.6.e.3.c.7.4.0.0.0.0.0.0.0.0.!.0.0.0.0.4.1.9.a.b.2.f.0.6.2.a.e.b.9.8.5.d.b.1.f.1.1.d.4.4.e.e.6.c.0.1.7.7.f.7.e.5.9.a.9.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.8././.2.8.:.1.2.:.5.8.:.4.1.!.0.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....B.o.o.t.I.
                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_taskhost.exe_439f3432e91833156ec2cf888feef2fd243e3be_00000000_185f3e17\Report.wer
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):16728
                                                                    Entropy (8bit):3.753206684513917
                                                                    Encrypted:false
                                                                    SSDEEP:192:3D6ErrfiQVfaKsn9fbeN9M2v1zzvSXk0ZKjBIcQG0/u7s7S274ItQ:nPiAaEdvh/B0/u7s7X4ItQ
                                                                    MD5:DDA4C55E65434CADEE12AB3E4C51BFB4
                                                                    SHA1:9F9FEC6F59EC16901E2863C64C0B283D62CEFAB1
                                                                    SHA-256:E7D4783787113E857F93C39A03B5B55AEA60C0815E1FF119E6B003003FFAC1E4
                                                                    SHA-512:E91C124B52411EFA64FE2A0C193469E7A5BC52237735C166DDE391E8B0E5290EF142E7BA7CC3DA41D84F1103179A0E0FC05E94FF6788F96DB321BB0E7CAEB6DB
                                                                    Malicious:true
                                                                    Reputation:unknown
                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.5.4.2.6.1.4.8.4.4.5.1.6.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.5.4.2.6.1.4.8.8.9.8.2.9.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.c.5.4.0.c.5.-.4.2.8.0.-.4.c.f.b.-.8.c.4.f.-.b.c.2.8.2.0.a.a.9.1.1.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.s.e.m.b.l.y.c.h.a.n.g.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.c.4.-.0.0.0.1.-.0.0.1.7.-.4.0.b.a.-.a.6.1.f.4.c.a.3.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.9.4.5.2.1.9.7.3.1.7.1.9.b.2.e.a.4.2.6.d.c.9.f.5.c.a.b.2.7.c.1.0.0.0.0.0.0.0.0.!.0.0.0.0.e.4.c.d.6.5.c.3.1.5.d.7.c.4.c.3.7.a.8.9.7.6.7.e.1.1.f.9.c.5.2.d.6.4.7.5.3.d.0.f.!.t.a.s.k.h.o.s.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.8././.2.8.:.1.3.:.0.0.:.4.9.!.0.!.t.a.s.k.h.o.s.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE49.tmp.WERInternalMetadata.xml
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):7620
                                                                    Entropy (8bit):3.6899971075875073
                                                                    Encrypted:false
                                                                    SSDEEP:192:Rrl7r3GLNiRe6w6YNr6AAgmfZ2oSnCp13P1fh6pdm:RrlsNiY6w6Yx6AAgmfUoSu39f/
                                                                    MD5:66A963EF273036ED453A7DAC23882679
                                                                    SHA1:DEB544FDB13D26E54242520F8C9E03B5EC1BFC7F
                                                                    SHA-256:3B3A936A4EAD7B4FC4544467245F060F174457239F34BC51DC553FF73F47BC7B
                                                                    SHA-512:B925D897F8E8E33749830F386BC9318DBB0004991F7C58C15D6C19B48FFEA9E233455DBD097C8758AE53ACFCDDE76899DB253A02EB59ED618A90F1A9D336F24F
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.4.8.<./.P.i.d.>.......
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF44.tmp.xml
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4683
                                                                    Entropy (8bit):4.445090832594526
                                                                    Encrypted:false
                                                                    SSDEEP:48:cvIwSD8zsuJgtWI9y8WSC8B28fm8M4JFKQtWTFa+q8v1tWTdQeDN3RGd:uITfkJ1SNpJFKmKSdjN3RGd
                                                                    MD5:A7E90FB7735CE1D948082C45CB1DDDED
                                                                    SHA1:33D131051C620EEC1356417CAD38D0A549817D39
                                                                    SHA-256:55E61527AEAAEBD494849C23E550B8731C8B5A10AEDFF19827183466D75FD551
                                                                    SHA-512:B0ED19D17E7512AF006BF813C6FE0FFF12CE414B3E627EFDC243C9FBBB3C203615C846DB6C1752B084CB20BAF460C1121A70B7926159B52B940D6A9F21DB7030
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1155093" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBF2.tmp.dmp
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Mini DuMP crash report, 14 streams, Mon Sep 6 18:22:37 2021, 0x1205a4 type
                                                                    Category:dropped
                                                                    Size (bytes):17418
                                                                    Entropy (8bit):2.180452948610077
                                                                    Encrypted:false
                                                                    SSDEEP:96:58J8D/+0nlZKLfnQxWXBMc82dJ7icI/NJS1WIXYWIdI4zEVu9:jtnXrWXBd82v7BsNJLzEVu9
                                                                    MD5:A915F6C65D737F9D725BEFAA6D1611AF
                                                                    SHA1:7F01864E6EC6FAB3B17924769777B674B8D6482E
                                                                    SHA-256:A81A9E39A0FCDA95422AC9D34C45EF1D7EAC037C5C4E8678D9DCCD38372C771E
                                                                    SHA-512:4C73BF6A239C400E09D255DDF17E1F7F3C93E2A9FA6FE2920ECA60F3D7B2980AAD876230957DB90A4E05E817B694AB60235AEB9B01A61C1C23028A8C3B099312
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: MDMP....... .......m\6a...................U...........B......t.......GenuineIntelW...........T...........f\6a.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC60.tmp.dmp
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Mini DuMP crash report, 14 streams, Mon Sep 6 18:22:37 2021, 0x1205a4 type
                                                                    Category:dropped
                                                                    Size (bytes):17418
                                                                    Entropy (8bit):2.1919939055520095
                                                                    Encrypted:false
                                                                    SSDEEP:96:58uA8D/gDlZoLfnEtWXvJMMk2YR9pic7CCFYWInWIXmI4Xxcqua:nUXlWXB9k20XB7C8/Xxcqua
                                                                    MD5:3EF2F61C08E3469F3B17F6EDBBAD7203
                                                                    SHA1:EBA0AEACE9CABE4635BDE8C33656D0792382D0BC
                                                                    SHA-256:CB1C4EB01B42CF11CB74CEC598A8D5CDA6693EE5B0F6381307E963A9A7D2BA5D
                                                                    SHA-512:B12B7D83154D5AB647D02AC1EE711F8FEF8DCE3CD75ECABABBEC5DC4E6DFF78D43689ADFDC09EEC9252CA64C681F00E047D7B03EBF8A0CDC76F77ABCC32D1387
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: MDMP....... .......m\6a...................U...........B......t.......GenuineIntelW...........T...........f\6a.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF7D.tmp.WERInternalMetadata.xml
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):5678
                                                                    Entropy (8bit):3.7237378697862953
                                                                    Encrypted:false
                                                                    SSDEEP:96:RtIU6o7r3GLt3iVWjW67QpYZIP9Sf1zgduBCaM1Bf1fIdLLm:Rrl7r3GLNiVWjW67eYZo9SnCp1Bf1fUi
                                                                    MD5:74161DE7FA537E233EEBAC3462A7D6C0
                                                                    SHA1:0CE559ABD6238C69D851A36A0F0709F39DD38809
                                                                    SHA-256:B81031E723CDB8F922FEB925A39BCBC2E0B2AECA08F92EBEC1FB5AACB016BEA9
                                                                    SHA-512:D02E4782CC7F20DF792D997931A5E04EBD9D243C2E82AC9A5AD68E24A2AEC5E17E724983956D9CC7C8FF9D106509302FA443314C2B86BCEC24993672D828BB15
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.0.4.<./.P.i.d.>.......
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE078.tmp.WERInternalMetadata.xml
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):8302
                                                                    Entropy (8bit):3.703646611660962
                                                                    Encrypted:false
                                                                    SSDEEP:192:Rrl7r3GLNii762W6YRb6jogmf5DSwCprA89bBzsfuLm:RrlsNie6f6Yd6jogmfNSVBYfT
                                                                    MD5:E225D9414F16E474933B5C6E134743F9
                                                                    SHA1:92A9A8298CA258BEC8ECBBD24BD0CCBD22EA1A90
                                                                    SHA-256:25F661A69E6D7C0B71EE29887F7D211CD8D659DD0C33F99E6B0A414912523BF6
                                                                    SHA-512:C3C477F737357861C825068911608C79106A638A22A336CBDB5378148412BF56A62B8A882A69EACC7ADCB5E05B3A9AE4372E602F1DC409EDBC78EEA3DFA85290
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.8.0.<./.P.i.d.>.......
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0E5.tmp.WERInternalMetadata.xml
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):8302
                                                                    Entropy (8bit):3.703632832604666
                                                                    Encrypted:false
                                                                    SSDEEP:192:Rrl7r3GLNi5g69/Ce6YRd6jogmf5BSwCprsx89bB3sfmLm:RrlsNie6J6Yb6jogmfPSnB8f7
                                                                    MD5:7EA759AFEAD8A648D808576BE9174782
                                                                    SHA1:1A645E1D64B1987EBCC32A859FE07117AA294B36
                                                                    SHA-256:CEC1207937AD43D66A1F7CBEA2E636E3E06045AEE3C05FABA753C6CB6DF1EC29
                                                                    SHA-512:454D529F4FEE96D7AFDA7E7CA1ED0CCB769098CC9E8DE4DEFBDF68D2BE8AB9106EBEA16DF2E57265DA34D0CC212DDD123EE231512E8479FFCA7E8D73FC3CDD8A
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.9.2.<./.P.i.d.>.......
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE172.tmp.xml
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4708
                                                                    Entropy (8bit):4.454077258851763
                                                                    Encrypted:false
                                                                    SSDEEP:48:cvIwSD8zsuJgtWI9y8WSC8BG8fm8M4JFKs19EJ+F0+q8vR19EJhi+elJGd:uITfkJ1SNFJFKoWKpR+cJGd
                                                                    MD5:633B7885757E5BC725D1C73075632E31
                                                                    SHA1:88542DE807D2D7A2436FDE3FF75F614157EFCB8A
                                                                    SHA-256:92A23107906A7E672FD84DE42B79BA7671802B265FD6E07F81A0848921F49DC9
                                                                    SHA-512:90AD80F4DDA2D1E5832CA9884E9AF02D757F4229049CDA9BC08946486513C7F72682EE41C43E11A05B94CEEB783BB3F19D5159CE1FC07BCFA3DE0465DFE78D3D
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1155093" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE23E.tmp.xml
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4644
                                                                    Entropy (8bit):4.482246274784607
                                                                    Encrypted:false
                                                                    SSDEEP:48:cvIwSD8zsuJgtWI9y8WSC8B88fm8M4JzEZFUs+q8jUDlu5nVhd:uITfkJ1SNXJ49fDlu5nVhd
                                                                    MD5:2EF23EF76DAEBCFCBCF04D819B06583E
                                                                    SHA1:CF849D769883A499D766792BD7E0668D069FD74A
                                                                    SHA-256:B9A0D438D30585B2E21D153BA3D6AF945F47BF0EB025AB83AACBB8386FE560C4
                                                                    SHA-512:6B301A2D1140059312CB54343250D8A244B153D1D996002EA5D132C6E5B0187F73C6D2B017544E558601E833ED8F8FB3F14F5171E5F491F418F367CA53CE5248
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1155093" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE29C.tmp.xml
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4644
                                                                    Entropy (8bit):4.484315275880367
                                                                    Encrypted:false
                                                                    SSDEEP:48:cvIwSD8zsuJgtWI9y8WSC8BF8fm8M4JlEZFG++q8VUy+lMSkd:uITfkJ1SNsJaLJflTkd
                                                                    MD5:41AC42D75ECF29A1E124CCE94337CA6B
                                                                    SHA1:36E100F603F2278833206878C1249596AB1A2878
                                                                    SHA-256:0AE6D3B37175B058FDAFD8E1581C3F4516F0FADDF01837095F37A84AAD249F35
                                                                    SHA-512:14AC76C0ABF1B3A00A1569EF69CABE8FC01FC7ED24607A9DCD959CD76F99097419BA22D125B56E83DFF74A414D4AC380F25B4F8AF257267282B3B16406DC17F6
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1155093" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                    C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):57344
                                                                    Entropy (8bit):4.5317531123948465
                                                                    Encrypted:false
                                                                    SSDEEP:768:OGjo7j58ODEYBhzjYBUbBBcJJJB4JnE2rVJjRHNIRFqdXrZjBEwnn:OGU7j58OdZOID8L2E2XbIRFqBrcon
                                                                    MD5:A273A781070D239BA99D3FD8EF341E6C
                                                                    SHA1:650FC260C3CBC8FDB37BD18AFCFA089AA2132B96
                                                                    SHA-256:92EC56AE1720E4B05078BB970C4655904CC61BA11FD13482D1B234504589DF2B
                                                                    SHA-512:A37F71BE8362822018A348F84D41F2549F57B2EC310FAF8086637F0E83D03FBBB2A8E71C6299F535A4CBB01A1E81CBCAE8801EC8DDD0622A80A134C8455F96A2
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: Metadefender, Detection: 71%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 86%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2*a..................... ......^.... ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log
                                                                    Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):777
                                                                    Entropy (8bit):5.272921406044998
                                                                    Encrypted:false
                                                                    SSDEEP:12:Q3LaJcP0/9UkB9t0kaHYGLi1B01kKVdisk70hK9C4XXhK9yi0z6+xaiv:ML2pBLaYgioQ6K/XhKoRr
                                                                    MD5:4D1946DC78B777109FC1B7FF3223B745
                                                                    SHA1:869F3C7550F8B8DE446AE53D6DA234DC24ABD3A5
                                                                    SHA-256:B62BB3914340F56B816EB8883F8459009F25CA430D81948B54F6BE2EBEEFDF76
                                                                    SHA-512:F5BE526A078FB12F42A786A317FB12B13982F382EB0362016AFFCBF122A8A5AB3EB8C406F8EC66ED9AC8E94743B3860D146E6CC5FDC188412F4450403163E7A1
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\76002c3c0a2b9f0c8687ad35e8d9d309\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\b12bbcf27f41d96fe44360ae0b566f9b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\454c09ea87bde1d5f545d60232083b79\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\93e312980de126a432df42707b07336c\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\e681e359556f0991834c31646ebd5526\System.Xml.ni.dll",0..
                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\iExplorer.exe.log
                                                                    Process:C:\Users\user\AppData\Local\Temp\iExplorer.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):916
                                                                    Entropy (8bit):5.282390836641403
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLF20NaL3z2p29hJ5g522rW2xAi3AP26K95rKoO2+g2+:MwLLD2Y9h3go2rxxAcAO6ox+g2+
                                                                    MD5:5AD8E7ABEADADAC4CE06FF693476581A
                                                                    SHA1:81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E
                                                                    SHA-256:BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
                                                                    SHA-512:7793E78E84AD36CE65B5B1C015364E340FB9110FAF199BC0234108CE9BCB1AEDACBD25C6A012AC99740E08BEA5E5C373A88E553E47016304D8AE6AEEAB58EBFF
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..
                                                                    C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe
                                                                    Process:C:\Users\user\Desktop\aaVb1xEmrd.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):106496
                                                                    Entropy (8bit):7.087713047609385
                                                                    Encrypted:false
                                                                    SSDEEP:1536:/b6C9CMsKBeopXORMapFNglr9JWPSRMMr+caHhGUD10D:z6wthpXeMogpmS6yz
                                                                    MD5:3F620FFD8BE649D1D31AB54F73A559BE
                                                                    SHA1:7674D564413FF4C10297C1D74CD1287776AF43FA
                                                                    SHA-256:60E2A0345F0250CB42AF7B40D674D4EFB3110CD2AE74CB2708F0A9941B1F0AA4
                                                                    SHA-512:0783FBBC5036B5666D57036F58041D08A912BE0B791DC81BA23BE13870F10D909F2C1792852EE2B03344EAB6370E140895545B57C614E96A10B8BFC7682E2D31
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................H...........".....Rich..........PE..L...31*a.................p... ......L.............@.................................~q.......................................m..(...........................................................................(... ....................................text...<`.......p.................. ..`.data...............................@....rsrc...............................@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\SImg1.jpeg
                                                                    Process:C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):121521
                                                                    Entropy (8bit):7.928604107100963
                                                                    Encrypted:false
                                                                    SSDEEP:3072:rj5TsEzTwfOL2Xo/tIZBJwP2HEzvSx2pX8KXI3YaWWku0bKTy:/5TrzTwfW2zJwP2HEzvSuJdUy
                                                                    MD5:CF9EF68993AD0C8075B4789D5B3F7897
                                                                    SHA1:F991B68333095A54D399A6A5207E3CB479A5B844
                                                                    SHA-256:D448AB7674AEC35432DB9C113CD8E766539E6AC623FA3E17043E806D1A91A205
                                                                    SHA-512:74771718AF098B1A53B1F7166E40665400264424E418F61BDB15CA88E06EB01C8C74EA03D568F4F2E3B126786E7933EE28D4B365A441D34D350C982B9CB3F8AE
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.|..).?.H.'.|....).?m.....h.t......|4.%...d....
                                                                    C:\Users\user\AppData\Local\Temp\SImg2.jpeg
                                                                    Process:C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):131323
                                                                    Entropy (8bit):7.925809151767899
                                                                    Encrypted:false
                                                                    SSDEEP:3072:rj5TsEzTwfOL2Xo/tIZqaZde3F+gQckwFSmZ9u1LATYq3Vg2WWW7rGcb:/5TrzTwfW28g83F+Od4mu1UThtcb
                                                                    MD5:0C304E96FCE61F274A08F42FF2633F75
                                                                    SHA1:AD125368FFCA36960F459B92C45E05CABECB2BCA
                                                                    SHA-256:57F36FEEA2926B03C4945852B6C47DD08B527F6BBE0DB6A6B3F101786290FBA1
                                                                    SHA-512:633D52188EEAF0D824E053DF430D9BFE40EC8A6C068887B5BDB94FF458BD5228A9C1F3EFE454E003E3A945DF7803FDE73584C6692721B300BD0E0ACE26897853
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.|..).?.H.'.|....).?m.....h.t......|4.%...d....
                                                                    C:\Users\user\AppData\Local\Temp\SImg3.jpeg
                                                                    Process:C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):129761
                                                                    Entropy (8bit):7.9315607020066965
                                                                    Encrypted:false
                                                                    SSDEEP:3072:rj5TsEzTwfOL2Xo/tIZH2CIyZl+SuG6vPh9/FjJ4PzzDg9fM:/5TrzTwfW2oHyZlBmh9/F5M
                                                                    MD5:E87D0E3977F2EF8E5FD0EA5D6867C92D
                                                                    SHA1:5B1C2EA6D347173DD611A5213A0E5DADD2A0814B
                                                                    SHA-256:4AB6FF2F6D8A439724FDDCC2690E709CC479D4575B917AB984888CD6A1011168
                                                                    SHA-512:3E30AA8F4E40DB50F48825AD96F8D95A3A6408DF3B8B763EC3342E48AC4F7A9A9E77BC79594CAC99B4ED7D0A6E5D9B176C944499AB069F035D53F555C2C4D9BE
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.|..).?.H.'.|....).?m.....h.t......|4.%...d....
                                                                    C:\Users\user\AppData\Local\Temp\SImg4.jpeg
                                                                    Process:C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):121818
                                                                    Entropy (8bit):7.934248352298517
                                                                    Encrypted:false
                                                                    SSDEEP:3072:rj5TsEzTwfOL2Xo/tIZ5XouE/mh6bVPohqGR7zENzJZUVG:/5TrzTwfW2RImhsVyqGR7wJZUVG
                                                                    MD5:70019051D7AFD8A82FA3EA49FD663358
                                                                    SHA1:F4E685B2959544C50312AF7A56A597C238F053B2
                                                                    SHA-256:B3EBB3DDA23166785394F79BC48126B21F135D5445DE883656AFF7F968A38956
                                                                    SHA-512:9FD5F456E6BC6BC13D860A51362AF1580879D43195C385DFE2C43F1B4043DAEC4A17F1D0C07CC041C2EBD2EA4DD5C356B96A4416E502E24A022ACD3F1C8CBEE7
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.|..).?.H.'.|....).?m.....h.t......|4.%...d....
                                                                    C:\Users\user\AppData\Local\Temp\Startup SImg.jpeg
                                                                    Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):113445
                                                                    Entropy (8bit):7.935166940604218
                                                                    Encrypted:false
                                                                    SSDEEP:3072:rj5TsEzTzvK3yxIGTp4dspGdkIZA9HB1DMG:/5TrzTTK3yxIGTp4WpGdkI6iG
                                                                    MD5:E95B1152C68A79B00F40FD6ED544B1E0
                                                                    SHA1:7A61C83E1163C62F4E4991C5ADD7A354196C475B
                                                                    SHA-256:104A575ECACD0B4E48F1830677B95C3C76D5B1D7EE4A8EF2284617C528C5D782
                                                                    SHA-512:35F4977B1C9795AF5E791D0ACCA5A803E9D27F6BA7D28F8952EBC1A79A9C024805188F4F9B3BA249C1062BAC8C17B0941936C62AA2D8CC7D838C84A78988AB2C
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.|..).?.H.'.|....).?m.....h.t......|4.%...d....
                                                                    C:\Users\user\AppData\Local\Temp\SysInfo.txt
                                                                    Process:C:\Users\user\AppData\Local\Temp\iExplorer.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):47
                                                                    Entropy (8bit):4.296728947874153
                                                                    Encrypted:false
                                                                    SSDEEP:3:oNWXp5cViE2J5xAIVJBUA:oNWXp+N23fVJBUA
                                                                    MD5:B5A38E1E1187076DD0FF50A0F366A697
                                                                    SHA1:6B5FE1C661D1EBFBCC10AEE318508A2FB9F5ACC7
                                                                    SHA-256:81F0716C0370690C4BAA4624AA49C1E755FFE9D341F61C457EFAC3837CD14B3D
                                                                    SHA-512:E3AAAEF247D18D1B65362C764B53291DA8E73E7058122D9B4D5F3343D79C88C6A2E6D6786D8AB518C41D7737C3DD73B4BC2F23E4B01C59AFAEE9C1AB21F94539
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: C:\Users\user\AppData\Local\Temp\iExplorer.exe
                                                                    C:\Users\user\AppData\Local\Temp\iExplorer.exe
                                                                    Process:C:\Users\user\Desktop\aaVb1xEmrd.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):724480
                                                                    Entropy (8bit):6.369212575152287
                                                                    Encrypted:false
                                                                    SSDEEP:12288:lBQtqB5urTIoYWBQk1E+VF9mOx9TdnHx:lBQtqBorTlYWBhE+V3mO7L
                                                                    MD5:A0DBD1314D214588960B1E0BCED5F4E0
                                                                    SHA1:419AB2F062AEB985DB1F11D44EE6C0177F7E59A9
                                                                    SHA-256:4F21D6AF6EACAE330AE755BF05739C7D8D61567CDCD3F3FF3AD57EF714D8B932
                                                                    SHA-512:8B91940041EAF7271E23BFDAF1A8F0A5C12CB9DA5D179686FD179C65F371B7FB1D1567AFF80B9EE0060A22EBBBB280E9301930B8EFB549FDD6DB01657D33AA92
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Arnim Rupp
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3*a.....................<........... ........@.. .......................`............@.....................................W........8...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....8.......:..................@..@.reloc.......@......................@..B........................H........i..............\m..X............................................0..........(....(.......(.....o....*......................(......o......o......o......o....*...F.(....o....o....*....(....*.s.........s.........s.........s.........s.........*.0..........~....o....*..0..........~....o....*..0..........~....o....*..0..........~....o....*..0..........~....o....*..0............{....(...+}.....{....*...{....3.*.,.r...ps....z..|....o...+*...0................,.........o....9..
                                                                    C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                    Process:C:\Users\user\Desktop\aaVb1xEmrd.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):57344
                                                                    Entropy (8bit):4.5317531123948465
                                                                    Encrypted:false
                                                                    SSDEEP:768:OGjo7j58ODEYBhzjYBUbBBcJJJB4JnE2rVJjRHNIRFqdXrZjBEwnn:OGU7j58OdZOID8L2E2XbIRFqBrcon
                                                                    MD5:A273A781070D239BA99D3FD8EF341E6C
                                                                    SHA1:650FC260C3CBC8FDB37BD18AFCFA089AA2132B96
                                                                    SHA-256:92EC56AE1720E4B05078BB970C4655904CC61BA11FD13482D1B234504589DF2B
                                                                    SHA-512:A37F71BE8362822018A348F84D41F2549F57B2EC310FAF8086637F0E83D03FBBB2A8E71C6299F535A4CBB01A1E81CBCAE8801EC8DDD0622A80A134C8455F96A2
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2*a..................... ......^.... ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\taskhost.exe
                                                                    Process:C:\Users\user\Desktop\aaVb1xEmrd.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):533504
                                                                    Entropy (8bit):6.505015338372517
                                                                    Encrypted:false
                                                                    SSDEEP:6144:gmuQqyCAobS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnxX:cAoQtqB5urTIoYWBQk1E+VF9mOx9si
                                                                    MD5:83827B8CFFE67A789B03E342ED3B1572
                                                                    SHA1:E4CD65C315D7C4C37A89767E11F9C52D64753D0F
                                                                    SHA-256:029910F3FC7C1BC1DAA32A70BD334CCC767E7A0D0BDC011881099C9507ADB3B6
                                                                    SHA-512:8AB193F75C224208A54DB6BFAA2325F34AF9CDF29C67E01F1CE492D36696E2F6ADEB54D18060D2ECD2F5FF6A8794E399D633556446C25ED50A9363460E88EEB6
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Arnim Rupp
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Joe Security
                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: JPCERT/CC Incident Response Group
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3*a.....................6........... ........@.. ....................................@.................................d...W.... ..R3...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...R3... ...4..................@..@.reloc.......`......."..............@..B........................H.......0}..4..............X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......
                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows Firewall\WIN32.exe
                                                                    Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):57344
                                                                    Entropy (8bit):4.5317531123948465
                                                                    Encrypted:false
                                                                    SSDEEP:768:OGjo7j58ODEYBhzjYBUbBBcJJJB4JnE2rVJjRHNIRFqdXrZjBEwnn:OGU7j58OdZOID8L2E2XbIRFqBrcon
                                                                    MD5:A273A781070D239BA99D3FD8EF341E6C
                                                                    SHA1:650FC260C3CBC8FDB37BD18AFCFA089AA2132B96
                                                                    SHA-256:92EC56AE1720E4B05078BB970C4655904CC61BA11FD13482D1B234504589DF2B
                                                                    SHA-512:A37F71BE8362822018A348F84D41F2549F57B2EC310FAF8086637F0E83D03FBBB2A8E71C6299F535A4CBB01A1E81CBCAE8801EC8DDD0622A80A134C8455F96A2
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2*a..................... ......^.... ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                    Process:C:\Users\user\AppData\Local\Temp\iExplorer.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):724480
                                                                    Entropy (8bit):6.369212575152287
                                                                    Encrypted:false
                                                                    SSDEEP:12288:lBQtqB5urTIoYWBQk1E+VF9mOx9TdnHx:lBQtqBorTlYWBhE+V3mO7L
                                                                    MD5:A0DBD1314D214588960B1E0BCED5F4E0
                                                                    SHA1:419AB2F062AEB985DB1F11D44EE6C0177F7E59A9
                                                                    SHA-256:4F21D6AF6EACAE330AE755BF05739C7D8D61567CDCD3F3FF3AD57EF714D8B932
                                                                    SHA-512:8B91940041EAF7271E23BFDAF1A8F0A5C12CB9DA5D179686FD179C65F371B7FB1D1567AFF80B9EE0060A22EBBBB280E9301930B8EFB549FDD6DB01657D33AA92
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Arnim Rupp
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3*a.....................<........... ........@.. .......................`............@.....................................W........8...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....8.......:..................@..@.reloc.......@......................@..B........................H........i..............\m..X............................................0..........(....(.......(.....o....*......................(......o......o......o......o....*...F.(....o....o....*....(....*.s.........s.........s.........s.........s.........*.0..........~....o....*..0..........~....o....*..0..........~....o....*..0..........~....o....*..0..........~....o....*..0............{....(...+}.....{....*...{....3.*.,.r...ps....z..|....o...+*...0................,.........o....9..
                                                                    C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                    Process:C:\Users\user\AppData\Local\Temp\taskhost.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):533504
                                                                    Entropy (8bit):6.505015338372517
                                                                    Encrypted:false
                                                                    SSDEEP:6144:gmuQqyCAobS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnxX:cAoQtqB5urTIoYWBQk1E+VF9mOx9si
                                                                    MD5:83827B8CFFE67A789B03E342ED3B1572
                                                                    SHA1:E4CD65C315D7C4C37A89767E11F9C52D64753D0F
                                                                    SHA-256:029910F3FC7C1BC1DAA32A70BD334CCC767E7A0D0BDC011881099C9507ADB3B6
                                                                    SHA-512:8AB193F75C224208A54DB6BFAA2325F34AF9CDF29C67E01F1CE492D36696E2F6ADEB54D18060D2ECD2F5FF6A8794E399D633556446C25ED50A9363460E88EEB6
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Arnim Rupp
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: JPCERT/CC Incident Response Group
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3*a.....................6........... ........@.. ....................................@.................................d...W.... ..R3...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...R3... ...4..................@..@.reloc.......`......."..............@..B........................H.......0}..4..............X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......
                                                                    C:\Users\user\AppData\Roaming\pid.txt
                                                                    Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4
                                                                    Entropy (8bit):2.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:C7:C7
                                                                    MD5:2E6D9C6052E99FCDFA61D9B9DA273CA2
                                                                    SHA1:33C6272DF8483166FFB4295472824F971762E64A
                                                                    SHA-256:B7B598D56A5096E61D7B35CC791EA1E21484BDD778FB8A2EBC52E1045E8255B9
                                                                    SHA-512:A37EE8D831141574064DB582050E33DD2E8846E901E6477BF7C5B7440A407B1E49166736E4C6BFBF0BD12AE68D805C7DC81DB10D661E7F72F59464209D4AD305
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: 5204
                                                                    C:\Users\user\AppData\Roaming\pidloc.txt
                                                                    Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):49
                                                                    Entropy (8bit):4.441568140944513
                                                                    Encrypted:false
                                                                    SSDEEP:3:oNWXp5cViEaKC59KYr4a:oNWXp+NaZ534a
                                                                    MD5:6078085422A31D60FCEB24D4FA24B6E8
                                                                    SHA1:0CD056478F3D877B3D44C7B439485B1ACFD78F5A
                                                                    SHA-256:9113E6728CEB1F460E3CEAB19852A31602CD77A92E7B861802FE339FD5CFD837
                                                                    SHA-512:22CE5D96BB25519CB14F27BDB44D7FAEDC6D5C8B8F81A1F972EA638BF9731D8793C98359D7C9476D50AF46346E0964E82F5B0B2F8B1B6763B078D2B045FB2EA1
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):55
                                                                    Entropy (8bit):4.306461250274409
                                                                    Encrypted:false
                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                    Entropy (8bit):7.98493346971263
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                    • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:aaVb1xEmrd.exe
                                                                    File size:835015
                                                                    MD5:c428b176eca6b17cda3f5729abaddf0b
                                                                    SHA1:65262ee5ea9c832436c6eba4a5e58d69900aea72
                                                                    SHA256:b139dd73d811c0d20602ebd74f962724d2c9e31958bdea9326473bf4bbd746b9
                                                                    SHA512:fc6ec90e224a9af1fb1d996bd4067c7f8f00749840fa7c2c446fc6c6a7c158bfcfb913b96b8586d73a41a80bd107690c50fb0c50e1cef43cad8ca6cba1cda886
                                                                    SSDEEP:24576:UA892H+rl3WuNI3jhCXkqzp/GAqDF+Q0o:nQM+D6zhCUg9GNDF+c
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........lJ...$...$...$./.{...$...%.9.$.".y...$.......$.f."...$.Rich..$.........................PE..L....y.F.................\.........

                                                                    File Icon

                                                                    Icon Hash:30b278e8d4d49633

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x40315d
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                    DLL Characteristics:
                                                                    Time Stamp:0x460E79C3 [Sat Mar 31 15:09:55 2007 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:4d17be67c8d0394c5c1b8e725359ed89

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    sub esp, 00000180h
                                                                    push ebx
                                                                    push esi
                                                                    xor ebx, ebx
                                                                    push edi
                                                                    mov dword ptr [ebp-0Ch], ebx
                                                                    mov dword ptr [ebp-08h], 00409230h
                                                                    mov dword ptr [ebp-04h], ebx
                                                                    mov byte ptr [ebp-14h], 00000020h
                                                                    call dword ptr [00407030h]
                                                                    push ebx
                                                                    call dword ptr [00407270h]
                                                                    mov dword ptr [0042F0D0h], eax
                                                                    push ebx
                                                                    lea eax, dword ptr [ebp-00000180h]
                                                                    push 00000160h
                                                                    push eax
                                                                    push ebx
                                                                    push 00429440h
                                                                    call dword ptr [00407154h]
                                                                    push 00409224h
                                                                    push 0042E820h
                                                                    call 00007FC228BE8D23h
                                                                    call dword ptr [004070B0h]
                                                                    mov esi, 00435000h
                                                                    push eax
                                                                    push esi
                                                                    call 00007FC228BE8D11h
                                                                    push ebx
                                                                    call dword ptr [00407108h]
                                                                    cmp byte ptr [00435000h], 00000022h
                                                                    mov dword ptr [0042F020h], eax
                                                                    mov eax, esi
                                                                    jne 00007FC228BE653Bh
                                                                    mov byte ptr [ebp-14h], 00000022h
                                                                    mov eax, 00435001h
                                                                    push dword ptr [ebp-14h]
                                                                    push eax
                                                                    call 00007FC228BE880Ch
                                                                    push eax
                                                                    call dword ptr [00407210h]
                                                                    mov dword ptr [ebp-10h], eax
                                                                    jmp 00007FC228BE6594h
                                                                    cmp cl, 00000020h
                                                                    jne 00007FC228BE6538h
                                                                    inc eax
                                                                    cmp byte ptr [eax], 00000020h
                                                                    je 00007FC228BE652Ch
                                                                    cmp byte ptr [eax], 00000022h
                                                                    mov byte ptr [ebp-14h], 00000020h
                                                                    jne 00007FC228BE6537h
                                                                    inc eax
                                                                    mov byte ptr [ebp-14h], 00000022h
                                                                    cmp byte ptr [eax], 0000002Fh
                                                                    jne 00007FC228BE6567h
                                                                    inc eax
                                                                    cmp byte ptr [eax], 00000053h
                                                                    jne 00007FC228BE6541h
                                                                    mov cl, byte ptr [eax+01h]

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x74480xb4.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x1488.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x5bba0x5c00False0.676672894022data6.47700627279IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x70000x11f00x1200False0.466796875data5.2756827095IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0x90000x260d40x400False0.650390625data5.15843208882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                    .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x380000x14880x1600False0.330965909091data3.37907638684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_ICON0x381480x10a8dataEnglishUnited States
                                                                    RT_DIALOG0x391f00x100dataEnglishUnited States
                                                                    RT_DIALOG0x392f00x11cdataEnglishUnited States
                                                                    RT_DIALOG0x394100x60dataEnglishUnited States
                                                                    RT_GROUP_ICON0x394700x14dataEnglishUnited States

                                                                    Imports

                                                                    DLLImport
                                                                    KERNEL32.dllSetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, CopyFileA, CloseHandle, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, MulDiv, ReadFile, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, ExitProcess
                                                                    USER32.dllEndDialog, ScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, RegisterClassA, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, ShowWindow, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, wsprintfA
                                                                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                    SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                    ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                    VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    09/06/21-11:22:25.883661TCP1201ATTACK-RESPONSES 403 Forbidden8049712104.16.154.36192.168.2.3
                                                                    09/06/21-11:22:33.904181TCP1201ATTACK-RESPONSES 403 Forbidden8049715104.16.154.36192.168.2.3

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Sep 6, 2021 11:22:24.544179916 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:24.598454952 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.600084066 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:24.654927015 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.655308962 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:24.710143089 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.710182905 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.710491896 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:24.764374018 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.806401968 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:24.866573095 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.867167950 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.867187977 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:24.869565964 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:24.876195908 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:24.931176901 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.005707026 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.060208082 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.061675072 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.115874052 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.116399050 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.215164900 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.416925907 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.417553902 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.474997044 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.475313902 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.491918087 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.547077894 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.550394058 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.613090992 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.616991043 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.617243052 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.617393017 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.617480993 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.617702961 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.617791891 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.617877007 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.617960930 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.618057013 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.618140936 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.618221045 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.618305922 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.618387938 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.618472099 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.618551970 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.671758890 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.671787024 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.671792984 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.671817064 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.671829939 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.671993971 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.672041893 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.672317982 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.672698021 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.672710896 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.674706936 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.674741030 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.674989939 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.713980913 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.720005035 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.720033884 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.725935936 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.725954056 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.725960016 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.725975037 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.725986958 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.725994110 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726001024 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726011992 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726023912 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726023912 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.726036072 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726046085 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726053953 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726063967 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.726103067 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.726134062 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.726150036 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.726161003 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.726171970 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.728888035 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.728904009 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.728910923 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.728923082 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.729044914 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.729055882 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.729094028 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.729125977 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.729156971 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.774319887 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.775288105 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.775486946 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.780118942 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.780137062 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.780226946 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.780318975 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.780356884 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.780368090 CEST5874971194.100.180.160192.168.2.3
                                                                    Sep 6, 2021 11:22:25.780420065 CEST49711587192.168.2.394.100.180.160
                                                                    Sep 6, 2021 11:22:25.780432940 CEST49711587192.168.2.394.100.180.160

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Sep 6, 2021 11:22:08.247072935 CEST6015253192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:08.284501076 CEST53601528.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:24.427344084 CEST5754453192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:24.463366985 CEST53575448.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:25.379049063 CEST5598453192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:25.416760921 CEST53559848.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:25.762196064 CEST6418553192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:25.795854092 CEST53641858.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:28.858500957 CEST6511053192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:28.886203051 CEST53651108.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:33.189950943 CEST5836153192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:33.217931986 CEST53583618.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:33.759963989 CEST6349253192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:33.789587975 CEST53634928.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:35.330713034 CEST6083153192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:35.358179092 CEST53608318.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:35.471806049 CEST6010053192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:35.498379946 CEST53601008.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:37.047529936 CEST5319553192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:37.079185963 CEST53531958.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:37.460223913 CEST5014153192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:37.496215105 CEST53501418.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:37.906306982 CEST5302353192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:37.906943083 CEST4956353192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:37.933733940 CEST53530238.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:37.934645891 CEST53495638.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:38.050973892 CEST5135253192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:38.080091953 CEST53513528.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:41.515290976 CEST5934953192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:41.548307896 CEST53593498.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:54.897388935 CEST5708453192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:54.923737049 CEST53570848.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:59.577109098 CEST5882353192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:59.614623070 CEST53588238.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:22:59.882579088 CEST5756853192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:22:59.913769007 CEST53575688.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:00.002063990 CEST5054053192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:00.039280891 CEST53505408.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:02.271364927 CEST5436653192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:02.305356979 CEST53543668.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:03.534266949 CEST5303453192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:03.574574947 CEST53530348.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:09.484256029 CEST5776253192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:09.517220020 CEST53577628.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:09.698349953 CEST5543553192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:09.735904932 CEST53554358.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:14.123003960 CEST5071353192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:14.161180019 CEST53507138.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:19.028017044 CEST5613253192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:19.074403048 CEST53561328.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:33.634174109 CEST5898753192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:33.677450895 CEST53589878.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:48.283610106 CEST5657953192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:48.327076912 CEST53565798.8.8.8192.168.2.3
                                                                    Sep 6, 2021 11:23:49.259216070 CEST6063353192.168.2.38.8.8.8
                                                                    Sep 6, 2021 11:23:49.294157982 CEST53606338.8.8.8192.168.2.3

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Sep 6, 2021 11:22:24.427344084 CEST192.168.2.38.8.8.80x3330Standard query (0)smtp.mail.ruA (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:25.379049063 CEST192.168.2.38.8.8.80x5300Standard query (0)160.192.10.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                    Sep 6, 2021 11:22:25.762196064 CEST192.168.2.38.8.8.80xdc7dStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:33.189950943 CEST192.168.2.38.8.8.80x3569Standard query (0)160.192.10.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                    Sep 6, 2021 11:22:33.759963989 CEST192.168.2.38.8.8.80x2eafStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:35.330713034 CEST192.168.2.38.8.8.80x3eedStandard query (0)smtp.mail.ruA (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:35.471806049 CEST192.168.2.38.8.8.80xfb08Standard query (0)smtp.mail.ruA (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:37.460223913 CEST192.168.2.38.8.8.80xaec1Standard query (0)smtp.mail.ruA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Sep 6, 2021 11:22:24.463366985 CEST8.8.8.8192.168.2.30x3330No error (0)smtp.mail.ru94.100.180.160A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:24.463366985 CEST8.8.8.8192.168.2.30x3330No error (0)smtp.mail.ru217.69.139.160A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:25.416760921 CEST8.8.8.8192.168.2.30x5300Name error (3)160.192.10.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                    Sep 6, 2021 11:22:25.795854092 CEST8.8.8.8192.168.2.30xdc7dNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:25.795854092 CEST8.8.8.8192.168.2.30xdc7dNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:33.217931986 CEST8.8.8.8192.168.2.30x3569Name error (3)160.192.10.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                    Sep 6, 2021 11:22:33.789587975 CEST8.8.8.8192.168.2.30x2eafNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:33.789587975 CEST8.8.8.8192.168.2.30x2eafNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:35.358179092 CEST8.8.8.8192.168.2.30x3eedNo error (0)smtp.mail.ru94.100.180.160A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:35.358179092 CEST8.8.8.8192.168.2.30x3eedNo error (0)smtp.mail.ru217.69.139.160A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:35.498379946 CEST8.8.8.8192.168.2.30xfb08No error (0)smtp.mail.ru94.100.180.160A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:35.498379946 CEST8.8.8.8192.168.2.30xfb08No error (0)smtp.mail.ru217.69.139.160A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:37.496215105 CEST8.8.8.8192.168.2.30xaec1No error (0)smtp.mail.ru94.100.180.160A (IP address)IN (0x0001)
                                                                    Sep 6, 2021 11:22:37.496215105 CEST8.8.8.8192.168.2.30xaec1No error (0)smtp.mail.ru217.69.139.160A (IP address)IN (0x0001)

                                                                    HTTP Request Dependency Graph

                                                                    • whatismyipaddress.com

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.349712104.16.154.3680C:\Users\user\AppData\Local\Temp\taskhost.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Sep 6, 2021 11:22:25.848732948 CEST1205OUTGET / HTTP/1.1
                                                                    Host: whatismyipaddress.com
                                                                    Connection: Keep-Alive
                                                                    Sep 6, 2021 11:22:25.883661032 CEST1205INHTTP/1.1 403 Forbidden
                                                                    Date: Mon, 06 Sep 2021 09:22:25 GMT
                                                                    Content-Type: text/plain; charset=UTF-8
                                                                    Content-Length: 16
                                                                    Connection: keep-alive
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                    Server: cloudflare
                                                                    CF-RAY: 68a6a1ff98f21782-FRA
                                                                    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                    Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                                    Data Ascii: error code: 1020


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    1192.168.2.349715104.16.154.3680C:\Users\user\AppData\Local\Temp\taskhost.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Sep 6, 2021 11:22:33.865338087 CEST1235OUTGET / HTTP/1.1
                                                                    Host: whatismyipaddress.com
                                                                    Connection: Keep-Alive
                                                                    Sep 6, 2021 11:22:33.904181004 CEST1236INHTTP/1.1 403 Forbidden
                                                                    Date: Mon, 06 Sep 2021 09:22:33 GMT
                                                                    Content-Type: text/plain; charset=UTF-8
                                                                    Content-Length: 16
                                                                    Connection: keep-alive
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                    Server: cloudflare
                                                                    CF-RAY: 68a6a231bab84ed9-FRA
                                                                    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                    Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                                    Data Ascii: error code: 1020


                                                                    SMTP Packets

                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                    Sep 6, 2021 11:22:24.654927015 CEST5874971194.100.180.160192.168.2.3220 smtp57.i.mail.ru ESMTP ready (Looking for Mail for your domain? Visit https://biz.mail.ru)
                                                                    Sep 6, 2021 11:22:24.655308962 CEST49711587192.168.2.394.100.180.160EHLO 704672
                                                                    Sep 6, 2021 11:22:24.710182905 CEST5874971194.100.180.160192.168.2.3250-smtp57.i.mail.ru
                                                                    250-SIZE 73400320
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250 STARTTLS
                                                                    Sep 6, 2021 11:22:24.710491896 CEST49711587192.168.2.394.100.180.160STARTTLS
                                                                    Sep 6, 2021 11:22:24.764374018 CEST5874971194.100.180.160192.168.2.3220 2.0.0 Start TLS
                                                                    Sep 6, 2021 11:22:35.477663994 CEST5874971894.100.180.160192.168.2.3220 smtp29.i.mail.ru ESMTP ready (Looking for Mail for your domain? Visit https://biz.mail.ru)
                                                                    Sep 6, 2021 11:22:35.564328909 CEST49718587192.168.2.394.100.180.160EHLO 704672
                                                                    Sep 6, 2021 11:22:35.616727114 CEST5874971894.100.180.160192.168.2.3250-smtp29.i.mail.ru
                                                                    250-SIZE 73400320
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250 STARTTLS
                                                                    Sep 6, 2021 11:22:35.617120028 CEST49718587192.168.2.394.100.180.160STARTTLS
                                                                    Sep 6, 2021 11:22:35.668801069 CEST5874971894.100.180.160192.168.2.3220 2.0.0 Start TLS
                                                                    Sep 6, 2021 11:22:35.688143015 CEST5874971994.100.180.160192.168.2.3220 smtp36.i.mail.ru ESMTP ready (Looking for Mail for your domain? Visit https://biz.mail.ru)
                                                                    Sep 6, 2021 11:22:35.689376116 CEST49719587192.168.2.394.100.180.160EHLO 704672
                                                                    Sep 6, 2021 11:22:35.741569996 CEST5874971994.100.180.160192.168.2.3250-smtp36.i.mail.ru
                                                                    250-SIZE 73400320
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250 STARTTLS
                                                                    Sep 6, 2021 11:22:35.741786003 CEST49719587192.168.2.394.100.180.160STARTTLS
                                                                    Sep 6, 2021 11:22:35.794620991 CEST5874971994.100.180.160192.168.2.3220 2.0.0 Start TLS
                                                                    Sep 6, 2021 11:22:37.609016895 CEST5874972194.100.180.160192.168.2.3220 smtp32.i.mail.ru ESMTP ready (Looking for Mail for your domain? Visit https://biz.mail.ru)
                                                                    Sep 6, 2021 11:22:37.609217882 CEST49721587192.168.2.394.100.180.160EHLO 704672
                                                                    Sep 6, 2021 11:22:37.660432100 CEST5874972194.100.180.160192.168.2.3250-smtp32.i.mail.ru
                                                                    250-SIZE 73400320
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250 STARTTLS
                                                                    Sep 6, 2021 11:22:37.660605907 CEST49721587192.168.2.394.100.180.160STARTTLS
                                                                    Sep 6, 2021 11:22:37.713546038 CEST5874972194.100.180.160192.168.2.3220 2.0.0 Start TLS

                                                                    Code Manipulations

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: aaVb1xEmrd.exe PID: 2432 Parent PID: 5472

                                                                    General

                                                                    Start time:11:22:15
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\user\Desktop\aaVb1xEmrd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\aaVb1xEmrd.exe'
                                                                    Imagebase:0x400000
                                                                    File size:835015 bytes
                                                                    MD5 hash:C428B176ECA6B17CDA3F5729ABADDF0B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low

                                                                    Analysis Process: MULTIBOT_NEWW.exe PID: 4768 Parent PID: 2432

                                                                    General

                                                                    Start time:11:22:16
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe'
                                                                    Imagebase:0x7ff7488e0000
                                                                    File size:106496 bytes
                                                                    MD5 hash:3F620FFD8BE649D1D31AB54F73A559BE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Visual Basic
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    Reputation:low

                                                                    Analysis Process: svchost.exe PID: 4280 Parent PID: 2432

                                                                    General

                                                                    Start time:11:22:17
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\svchost.exe'
                                                                    Imagebase:0xf30000
                                                                    File size:57344 bytes
                                                                    MD5 hash:A273A781070D239BA99D3FD8EF341E6C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    Reputation:low

                                                                    Analysis Process: taskhost.exe PID: 4548 Parent PID: 2432

                                                                    General

                                                                    Start time:11:22:17
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\taskhost.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\taskhost.exe'
                                                                    Imagebase:0x9c0000
                                                                    File size:533504 bytes
                                                                    MD5 hash:83827B8CFFE67A789B03E342ED3B1572
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Arnim Rupp
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: Joe Security
                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\taskhost.exe, Author: JPCERT/CC Incident Response Group
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    Reputation:low

                                                                    Analysis Process: iExplorer.exe PID: 1352 Parent PID: 2432

                                                                    General

                                                                    Start time:11:22:18
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\iExplorer.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\iExplorer.exe'
                                                                    Imagebase:0x6d0000
                                                                    File size:724480 bytes
                                                                    MD5 hash:A0DBD1314D214588960B1E0BCED5F4E0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: 00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: 00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Arnim Rupp
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\iExplorer.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    Reputation:low

                                                                    Analysis Process: Windows Update.exe PID: 5204 Parent PID: 1352

                                                                    General

                                                                    Start time:11:22:27
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Roaming\Windows Update.exe'
                                                                    Imagebase:0x3d0000
                                                                    File size:724480 bytes
                                                                    MD5 hash:A0DBD1314D214588960B1E0BCED5F4E0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000000.283523438.0000000003B61000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: 00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: 00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: 00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000000.293259909.0000000003B61000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: PredatorPain, Description: unknown, Source: 00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Arnim Rupp
                                                                    • Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                    • Rule: PredatorPain, Description: unknown, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    Reputation:low

                                                                    Analysis Process: dw20.exe PID: 6148 Parent PID: 4548

                                                                    General

                                                                    Start time:11:22:27
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:dw20.exe -x -s 2200
                                                                    Imagebase:0x10000000
                                                                    File size:33936 bytes
                                                                    MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: svchost.exe PID: 6256 Parent PID: 4280

                                                                    General

                                                                    Start time:11:22:30
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
                                                                    Imagebase:0xbc0000
                                                                    File size:57344 bytes
                                                                    MD5 hash:A273A781070D239BA99D3FD8EF341E6C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 71%, Metadefender, Browse
                                                                    • Detection: 86%, ReversingLabs
                                                                    Reputation:low

                                                                    Analysis Process: vbc.exe PID: 6280 Parent PID: 4548

                                                                    General

                                                                    Start time:11:22:30
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                    Imagebase:0x400000
                                                                    File size:1171592 bytes
                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: vbc.exe PID: 6292 Parent PID: 4548

                                                                    General

                                                                    Start time:11:22:32
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                    Imagebase:0x400000
                                                                    File size:1171592 bytes
                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: svchost.exe PID: 6440 Parent PID: 568

                                                                    General

                                                                    Start time:11:22:33
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                    Imagebase:0x7ff7488e0000
                                                                    File size:51288 bytes
                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: WerFault.exe PID: 6612 Parent PID: 6280

                                                                    General

                                                                    Start time:11:22:34
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 176
                                                                    Imagebase:0xb20000
                                                                    File size:434592 bytes
                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: WerFault.exe PID: 6624 Parent PID: 6292

                                                                    General

                                                                    Start time:11:22:35
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 176
                                                                    Imagebase:0xb20000
                                                                    File size:434592 bytes
                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: dw20.exe PID: 6724 Parent PID: 5204

                                                                    General

                                                                    Start time:11:22:36
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:dw20.exe -x -s 2324
                                                                    Imagebase:0x10000000
                                                                    File size:33936 bytes
                                                                    MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: svchost.exe PID: 6740 Parent PID: 3388

                                                                    General

                                                                    Start time:11:22:36
                                                                    Start date:06/09/2021
                                                                    Path:C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe'
                                                                    Imagebase:0x320000
                                                                    File size:57344 bytes
                                                                    MD5 hash:A273A781070D239BA99D3FD8EF341E6C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:low

                                                                    Analysis Process: vbc.exe PID: 6912 Parent PID: 5204

                                                                    General

                                                                    Start time:11:22:39
                                                                    Start date:06/09/2021
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                    Imagebase:0x400000
                                                                    File size:1171592 bytes
                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:high

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >