Loading ...

Play interactive tourEdit tour

Windows Analysis Report SW0P9o9ksjpBsnr.exe

Overview

General Information

Sample Name:SW0P9o9ksjpBsnr.exe
Analysis ID:547727
MD5:27f2a9688ec34fc8aa3b0fee4757dd71
SHA1:9464f6bea3222c5598ecd9d29a8bc68c0998f926
SHA256:5733ad0577f5b8fc7e939b1daff3ff98b339bb47542a138b659e47b9001fbbd2
Tags:exeRemcosRAT
Infos:

Most interesting Screenshot:

Detection

HawkEye Remcos AgentTesla AveMaria MailPassView UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Yara detected UACMe UAC Bypass tool
Detected HawkEye Rat
Yara detected AveMaria stealer
Detected Remcos RAT
Multi AV Scanner detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Creates a thread in another existing process (thread injection)
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Contains functionality to log keystrokes (.Net Source)
Contains functionality to steal e-mail passwords
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Yara detected WebBrowserPassView password recovery tool
Contains functionality to steal Chrome passwords or cookies
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Contains functionality to inject threads in other processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to download and execute PE files
Yara detected Keylogger Generic
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May infect USB drives
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SW0P9o9ksjpBsnr.exe (PID: 5468 cmdline: "C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe" MD5: 27F2A9688EC34FC8AA3B0FEE4757DD71)
    • BackgroundTransferHost.exe (PID: 4928 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
      • bin.exe (PID: 6480 cmdline: "C:\Users\user\AppData\Local\Temp\bin.exe" 0 MD5: 805FBB84293E86F25B566A5B2C2815D2)
        • powershell.exe (PID: 6572 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
          • conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 6580 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • warz.exe (PID: 6544 cmdline: "C:\Users\user\AppData\Local\Temp\warz.exe" 0 MD5: 1D90A7DA17807F64F1699E5EA2091A36)
        • powershell.exe (PID: 6764 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
          • conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • images.exe (PID: 6824 cmdline: C:\ProgramData\images.exe MD5: 1D90A7DA17807F64F1699E5EA2091A36)
          • powershell.exe (PID: 7092 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
            • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 7156 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • rem.exe (PID: 6564 cmdline: "C:\Users\user\AppData\Local\Temp\rem.exe" 0 MD5: 9E764165FBA9E86937643D84A2F4E063)
      • hawkstartup.exe (PID: 6776 cmdline: "C:\Users\user\AppData\Local\Temp\hawkstartup.exe" 0 MD5: AEAF1943FB037B6529873D7CC47CE137)
        • Windows Update.exe (PID: 3328 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: AEAF1943FB037B6529873D7CC47CE137)
          • dw20.exe (PID: 5040 cmdline: dw20.exe -x -s 2228 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
          • vbc.exe (PID: 1456 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • vbc.exe (PID: 4692 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • WerFault.exe (PID: 1896 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 2232 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
          • WerFault.exe (PID: 4600 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 2232 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • ori4.0dec23sta.exe (PID: 6988 cmdline: "C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe" 0 MD5: F41809BC71EEB2C3B1676309139216A8)
      • ori2.0dec23sta.exe (PID: 7112 cmdline: "C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe" 0 MD5: 421138225D5DEE81805C5E5072898504)
      • BackgroundTransferHost.exe (PID: 6776 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
    • SW0P9o9ksjpBsnr.exe (PID: 4928 cmdline: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe MD5: 27F2A9688EC34FC8AA3B0FEE4757DD71)
  • bin.exe (PID: 7136 cmdline: "C:\Users\user\AppData\Local\Temp\bin.exe" MD5: 805FBB84293E86F25B566A5B2C2815D2)
  • WindowsUpdate.exe (PID: 6840 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: AEAF1943FB037B6529873D7CC47CE137)
  • 100.exe (PID: 5772 cmdline: "C:\Users\user\AppData\Roaming\100\100.exe" MD5: F41809BC71EEB2C3B1676309139216A8)
  • WindowsUpdate.exe (PID: 7164 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: AEAF1943FB037B6529873D7CC47CE137)
  • 100.exe (PID: 6576 cmdline: "C:\Users\user\AppData\Roaming\100\100.exe" MD5: F41809BC71EEB2C3B1676309139216A8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\100\100.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    C:\Users\user\AppData\Roaming\100\100.exeJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      C:\ProgramData\images.exeCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      C:\ProgramData\images.exeCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      • 0x191f0:$c1: Elevation:Administrator!new:
      C:\ProgramData\images.exeMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
      • 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
      • 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
      • 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
      Click to see the 36 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          00000017.00000000.312592775.00000000008C2000.00000002.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000017.00000000.312592775.00000000008C2000.00000002.00020000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0000001F.00000002.435763826.00000000081E0000.00000004.00020000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
              • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
              Click to see the 376 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              22.3.images.exe.14b3768.4.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
              • 0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              22.3.images.exe.14b3768.4.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
              • 0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              • 0xb18:$c1: Elevation:Administrator!new:
              22.3.images.exe.14b3768.4.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
                22.3.images.exe.14b4d00.6.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
                • 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                22.3.images.exe.14b4d00.6.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
                • 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                • 0xd80:$c1: Elevation:Administrator!new:
                Click to see the 584 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Powershell Defender ExclusionShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\bin.exe" 0, ParentImage: C:\Users\user\AppData\Local\Temp\bin.exe, ParentProcessId: 6480, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 6572
                Sigma detected: Non Interactive PowerShellShow sources
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\bin.exe" 0, ParentImage: C:\Users\user\AppData\Local\Temp\bin.exe, ParentProcessId: 6480, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 6572
                Sigma detected: T1086 PowerShell ExecutionShow sources
                Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132858111621307027.6572.DefaultAppDomain.powershell

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\100\100.exeAvira: detection malicious, Label: TR/Spy.Gen8
                Source: C:\ProgramData\images.exeAvira: detection malicious, Label: TR/Redcap.ghjpt
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeAvira: detection malicious, Label: TR/Spy.Gen8
                Source: C:\Users\user\AppData\Local\Temp\bin.exeAvira: detection malicious, Label: TR/Redcap.ghjpt
                Source: C:\Users\user\AppData\Local\Temp\warz.exeAvira: detection malicious, Label: TR/Redcap.ghjpt
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeAvira: detection malicious, Label: TR/Spy.Gen8
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                Multi AV Scanner detection for submitted fileShow sources
                Source: SW0P9o9ksjpBsnr.exeReversingLabs: Detection: 53%
                Yara detected Remcos RATShow sources
                Source: Yara matchFile source: 13.0.rem.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.rem.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.rem.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.rem.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000000.296555205.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.297395374.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.298936574.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.298035428.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rem.exe PID: 6564, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\rem.exe, type: DROPPED
                Yara detected AveMaria stealerShow sources
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.291260710.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.293488925.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.300135911.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.328585434.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000000.317967942.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.290415827.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000003.315866343.000000000149C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000003.314784536.00000000014A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.290858967.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.300261604.0000000000D8C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.299137914.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.294897016.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.293955227.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\ProgramData\images.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\ProgramData\images.exeMetadefender: Detection: 76%Perma Link
                Source: C:\ProgramData\images.exeReversingLabs: Detection: 89%
                Source: C:\Users\user\AppData\Local\Temp\bin.exeMetadefender: Detection: 76%Perma Link
                Source: C:\Users\user\AppData\Local\Temp\bin.exeReversingLabs: Detection: 89%
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeReversingLabs: Detection: 85%
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeMetadefender: Detection: 51%Perma Link
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeReversingLabs: Detection: 85%
                Source: C:\Users\user\AppData\Local\Temp\rem.exeMetadefender: Detection: 50%Perma Link
                Source: C:\Users\user\AppData\Local\Temp\rem.exeReversingLabs: Detection: 85%
                Source: C:\Users\user\AppData\Local\Temp\tmpG223.tmp (copy)ReversingLabs: Detection: 85%
                Source: C:\Users\user\AppData\Local\Temp\tmpG759.tmp (copy)Metadefender: Detection: 51%Perma Link
                Source: C:\Users\user\AppData\Local\Temp\tmpG759.tmp (copy)ReversingLabs: Detection: 85%
                Source: C:\Users\user\AppData\Local\Temp\warz.exeMetadefender: Detection: 76%Perma Link
                Source: C:\Users\user\AppData\Local\Temp\warz.exeReversingLabs: Detection: 89%
                Machine Learning detection for sampleShow sources
                Source: SW0P9o9ksjpBsnr.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\100\100.exeJoe Sandbox ML: detected
                Source: C:\ProgramData\images.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\bin.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\warz.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\rem.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeJoe Sandbox ML: detected
                Source: 12.0.warz.exe.1020000.6.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 12.2.warz.exe.1020000.0.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 19.0.hawkstartup.exe.4d0000.4.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 19.0.hawkstartup.exe.4d0000.4.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 22.0.images.exe.330000.0.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 11.0.bin.exe.880000.6.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                Source: 11.0.bin.exe.880000.2.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 22.3.images.exe.14ab2f0.0.unpackAvira: Label: TR/Patched.Ren.Gen2
                Source: 11.0.bin.exe.880000.4.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 19.0.hawkstartup.exe.4d0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 19.0.hawkstartup.exe.4d0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 11.0.bin.exe.880000.0.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 22.2.images.exe.330000.0.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 19.0.hawkstartup.exe.4d0000.12.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 19.0.hawkstartup.exe.4d0000.12.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 22.3.images.exe.14ab2f0.10.unpackAvira: Label: TR/Patched.Ren.Gen2
                Source: 19.0.hawkstartup.exe.4d0000.8.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 19.0.hawkstartup.exe.4d0000.8.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpackAvira: Label: TR/Dropper.Gen
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                Source: 11.2.bin.exe.880000.0.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                Source: 19.2.hawkstartup.exe.4d0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 19.2.hawkstartup.exe.4d0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 12.0.warz.exe.1020000.2.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 12.0.warz.exe.1020000.4.unpackAvira: Label: TR/Redcap.ghjpt
                Source: 12.0.warz.exe.1020000.0.unpackAvira: Label: TR/Redcap.ghjpt
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088B15E lstrlenA,CryptStringToBinaryA,lstrcpyA,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088CAFC CryptUnprotectData,LocalAlloc,LocalFree,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088CF58 LocalAlloc,BCryptDecrypt,LocalFree,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_0102B15E lstrlenA,CryptStringToBinaryA,lstrcpyA,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_0102CAFC CryptUnprotectData,LocalAlloc,LocalFree,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_0102CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_0102CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_0102CF58 LocalAlloc,BCryptDecrypt,LocalFree,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_0102A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,
                Source: C:\ProgramData\images.exeCode function: 22_2_0033B15E lstrlenA,CryptStringToBinaryA,lstrcpyA,
                Source: C:\ProgramData\images.exeCode function: 22_2_0033CAFC CryptUnprotectData,LocalAlloc,LocalFree,
                Source: C:\ProgramData\images.exeCode function: 22_2_0033CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
                Source: C:\ProgramData\images.exeCode function: 22_2_0033CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
                Source: C:\ProgramData\images.exeCode function: 22_2_0033A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,
                Source: C:\ProgramData\images.exeCode function: 22_2_0033CF58 LocalAlloc,BCryptDecrypt,LocalFree,
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----

                Exploits:

                barindex
                Yara detected UACMe UAC Bypass toolShow sources
                Source: Yara matchFile source: 22.3.images.exe.14b3768.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.3.images.exe.14b4d00.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.warz.exe.2fef490.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.3.warz.exe.da4e20.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.cmd.exe.32a8470.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.3.warz.exe.da2018.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.SW0P9o9ksjpBsnr.exe.45ab3f8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.3.images.exe.14ab2f0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.3.bin.exe.10e5118.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.3.images.exe.14b4d00.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.3.bin.exe.10e5118.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.bin.exe.309d490.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.3.images.exe.14b3768.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.3.images.exe.14b1ef8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.3.images.exe.14b3768.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.3.warz.exe.da3888.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.3.bin.exe.10e38a8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.3.bin.exe.10e66b0.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.3.bin.exe.10e5118.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.3.warz.exe.da3888.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.3.images.exe.14b3768.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.3.bin.exe.10e5118.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.3.images.exe.14b3768.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.3.warz.exe.dba418.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.3.images.exe.14ab2f0.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.3.warz.exe.da3888.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.3.bin.exe.10e3430.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.3.bin.exe.10e5118.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.3.bin.exe.10e66b0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.3.bin.exe.10e3430.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.3.warz.exe.da4e20.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.3.images.exe.14b3768.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.3.bin.exe.10e5118.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.3.images.exe.14b4d00.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.3.warz.exe.da4e20.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.2.images.exe.36f8490.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.3.bin.exe.10e3430.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.291654350.00000000009CF000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.311194083.000000000116F000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.299504412.0000000000DA0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.524271296.000000000047F000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.525512056.00000000009CF000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000003.315134280.00000000014B2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000003.315040551.00000000014B0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.299610781.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.294592566.000000000116F000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.295601289.00000000010E4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.328741916.00000000009CF000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.295697323.00000000010E4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000000.317999053.00000000009CF000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000000.304645862.000000000047F000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.290450731.00000000009CF000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.294916604.000000000116F000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.299968878.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.291282105.00000000009CF000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.293514502.000000000116F000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000003.315520254.00000000014B2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.290889845.00000000009CF000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.294003890.000000000116F000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: bin.exe PID: 6480, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: warz.exe PID: 6544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: images.exe PID: 6824, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\images.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
                Source: SW0P9o9ksjpBsnr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                Source: C:\Users\user\AppData\Local\Temp\bin.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
                Source: SW0P9o9ksjpBsnr.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, hawkstartup.exe, 00000013.00000002.332921599.0000000002B31000.00000004.00000001.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: hawkstartup.exeBinary or memory string: [autorun]
                Source: hawkstartup.exeBinary or memory string: autorun.inf
                Source: hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpBinary or memory string: autorun.inf
                Source: hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpBinary or memory string: [autorun]
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0089002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_00889DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088FF27 FindFirstFileW,FindNextFileW,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_01029DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_0102FF27 FindFirstFileW,FindNextFileW,
                Source: C:\ProgramData\images.exeCode function: 22_2_00339DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
                Source: C:\ProgramData\images.exeCode function: 22_2_0033FF27 FindFirstFileW,FindNextFileW,
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 4x nop then jmp 04D21A73h
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 4x nop then jmp 04D21A73h
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 4x nop then jmp 04D21A73h
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]

                Networking:

                barindex
                Connects to many ports of the same IP (likely port scanning)Show sources
                Source: global trafficTCP traffic: 185.157.161.174 ports 9019,1,1975,5,7,9
                May check the online IP address of the machineShow sources
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_008827D3 URLDownloadToFileW,ShellExecuteW,
                Source: global trafficTCP traffic: 192.168.2.5:49756 -> 185.157.161.174:1975
                Source: global trafficTCP traffic: 192.168.2.5:49792 -> 66.29.159.53:587
                Source: global trafficTCP traffic: 192.168.2.5:49792 -> 66.29.159.53:587
                Source: ori4.0dec23sta.exe, 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpString found in binary or memory: http://CDIeMO.com
                Source: ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: ori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://crl.c
                Source: ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com
                Source: ori4.0dec23sta.exe, 00000017.00000002.540928973.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertifi
                Source: ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.531073009.00000000008B9000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542078165.0000000005759000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542269823.0000000005787000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542156248.0000000005766000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542032843.0000000005741000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.531263426.00000000008C2000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: ori4.0dec23sta.exe, 00000017.00000002.540928973.0000000006762000.00000004.00000001.sdmp, ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp, ori4.0dec23sta.exe, 00000017.00000002.540819805.0000000006720000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541994217.0000000005734000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542269823.0000000005787000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542156248.0000000005766000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542032843.0000000005741000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542269823.0000000005787000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542156248.0000000005766000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539098632.0000000002B7B000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542032843.0000000005741000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539285143.0000000002BAD000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: ori4.0dec23sta.exe, 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmpString found in binary or memory: http://hWWJFF.com
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.531073009.00000000008B9000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542078165.0000000005759000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542269823.0000000005787000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542156248.0000000005766000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542032843.0000000005741000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.531263426.00000000008C2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542269823.0000000005787000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542156248.0000000005766000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539098632.0000000002B7B000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542032843.0000000005741000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539285143.0000000002BAD000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                Source: ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://smtp.privateemail.com
                Source: hawkstartup.exeString found in binary or memory: http://whatismyipaddress.com/
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.260790631.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262146733.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265990762.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260434103.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264954192.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260700997.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263684825.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265098574.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.259763834.0000000005E34000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260592186.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265825518.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000002.294573838.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260474258.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264340395.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.261362055.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260825749.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263708707.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266616856.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260218923.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260536702.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260626401.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263588322.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264079426.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266401934.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.286537446.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262166074.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260655683.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264467499.0000000005E36000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.260790631.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262146733.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265990762.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260434103.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264954192.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260700997.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263684825.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265098574.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.259763834.0000000005E34000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260592186.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265825518.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000002.294573838.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260474258.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264340395.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.261362055.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260825749.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263708707.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266616856.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260218923.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260536702.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260626401.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263588322.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264079426.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266401934.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.286537446.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262166074.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260655683.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264467499.0000000005E36000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.260790631.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262146733.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265990762.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260434103.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264954192.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260700997.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263684825.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265098574.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.259763834.0000000005E34000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260592186.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265825518.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000002.294573838.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260474258.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264340395.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.261362055.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260825749.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263708707.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266616856.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260218923.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260536702.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260626401.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263588322.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264079426.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266401934.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.286537446.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262166074.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260655683.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264467499.0000000005E36000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comslnt
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287717053.0000000001507000.00000004.00000040.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.266401934.0000000005E35000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.261362055.0000000005E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/P
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287717053.0000000001507000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comceaY
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.257920284.0000000005E38000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.257920284.0000000005E38000.00000004.00000001.sdmpString found in binary or memory: http://www.monotypeimaging.c
                Source: hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.255889807.0000000005E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.255889807.0000000005E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comAt
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.255889807.0000000005E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260218923.0000000005E36000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.257996177.0000000005E38000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.257996177.0000000005E38000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com2
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.257996177.0000000005E38000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comB
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpString found in binary or memory: https://KXOf8Lcd51drIxRwI.org
                Source: ori4.0dec23sta.exe, 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmpString found in binary or memory: https://KXOf8Lcd51drIxRwI.org81
                Source: ori2.0dec23sta.exe, 0000001A.00000002.540786312.00000000049F0000.00000004.00000001.sdmpString found in binary or memory: https://KXOf8Lcd51drIxRwI.orgInProcServer32
                Source: ori2.0dec23sta.exe, 0000001A.00000002.540836311.0000000004A00000.00000004.00000001.sdmpString found in binary or memory: https://KXOf8Lcd51drIxRwI.orgInprocHandler
                Source: ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpString found in binary or memory: https://KXOf8Lcd51drIxRwI.orgd=
                Source: bin.exe, warz.exe, images.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.294966162.00000000018CC000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.284923646.0000000001893000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.291709456.0000000004593000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.286875051.0000000001893000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.314218745.0000000001903000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.324999984.0000000001904000.00000004.00000001.sdmp, bin.exe, 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, bin.exe, 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp, bin.exe, 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp, bin.exe, 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, bin.exe, 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp, bin.exe, 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, warz.exe, 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp, warz.exe, 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, warz.exe, 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, warz.exe, 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp, images.exe, 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp, images.exe, 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, images.exe, 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
                Source: hawkstartup.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542269823.0000000005787000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542156248.0000000005766000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539098632.0000000002B7B000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542032843.0000000005741000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539285143.0000000002BAD000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: hawkstartup.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.307369542.00000000045AC000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.315881747.0000000003ECD000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.330768411.0000000004525000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.329717962.0000000003E61000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.309595356.0000000003ECE000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.313272509.0000000003E61000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.286683979.0000000003E61000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.315166060.0000000003ECD000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.286824707.0000000003ECC000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.328524290.00000000044B8000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmp, ori4.0dec23sta.exe, ori4.0dec23sta.exe, 00000017.00000000.312592775.00000000008C2000.00000002.00020000.sdmp, ori4.0dec23sta.exe, 00000017.00000002.540819805.0000000006720000.00000004.00000001.sdmp, ori2.0dec23sta.exe, ori2.0dec23sta.exe, 0000001A.00000003.364545271.00000000056D1000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000000.322486737.00000000000D2000.00000002.00020000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: unknownDNS traffic detected: queries for: 9.96.11.0.in-addr.arpa
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088D0A3 recv,
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 04 Jan 2022 14:06:23 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTSet-Cookie: __cf_bm=9.gsBxN_TlFUSbreDLPbWL6FYpa.GN4p00zBzeoSM3A-1641305183-0-AeUdY+n5LN7USDwNfmj5TSRNGaWztIYvAklLwEwNucw9pUZwZ2l2ZbjFQzDfD62xzB8G6jLZy8vOobUN/MZShNg=; path=/; expires=Tue, 04-Jan-22 14:36:23 GMT; domain=.whatismyipaddress.com; HttpOnlyServer: cloudflareCF-RAY: 6c8506f6cf196997-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 04 Jan 2022 14:06:23 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTSet-Cookie: __cf_bm=9.gsBxN_TlFUSbreDLPbWL6FYpa.GN4p00zBzeoSM3A-1641305183-0-AeUdY+n5LN7USDwNfmj5TSRNGaWztIYvAklLwEwNucw9pUZwZ2l2ZbjFQzDfD62xzB8G6jLZy8vOobUN/MZShNg=; path=/; expires=Tue, 04-Jan-22 14:36:23 GMT; domain=.whatismyipaddress.com; HttpOnlyServer: cloudflareCF-RAY: 6c8506f6cf196997-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.174
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: hawkstartup.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: hawkstartup.exe PID: 6776, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: hawkstartup.exe.4.dr, Form1.cs.Net Code: HookKeyboard
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_008889D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,
                Source: bin.exe, 0000000B.00000002.529750933.00000000010AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpBinary or memory string: GetRawInputData
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWindow created: window name: CLIPBRDWNDCLASS

                E-Banking Fraud:

                barindex
                Yara detected Remcos RATShow sources
                Source: Yara matchFile source: 13.0.rem.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.rem.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.rem.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.rem.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000000.296555205.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.297395374.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.298936574.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.298035428.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rem.exe PID: 6564, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\rem.exe, type: DROPPED
                Yara detected AveMaria stealerShow sources
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.291260710.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.293488925.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.300135911.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.328585434.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000000.317967942.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.290415827.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000003.315866343.000000000149C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000003.314784536.00000000014A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.290858967.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.300261604.0000000000D8C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.299137914.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.294897016.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.293955227.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\ProgramData\images.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 22.3.images.exe.14b3768.4.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 22.3.images.exe.14b4d00.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 12.2.warz.exe.2fef490.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 12.3.warz.exe.da4e20.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 15.2.cmd.exe.32a8470.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 12.3.warz.exe.da2018.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 4.3.SW0P9o9ksjpBsnr.exe.45ab3f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 22.3.images.exe.14ab2f0.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 11.3.bin.exe.10e5118.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 22.3.images.exe.14b4d00.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 11.3.bin.exe.10e5118.8.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 11.2.bin.exe.309d490.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 22.3.images.exe.14b3768.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 22.3.images.exe.14b1ef8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 22.3.images.exe.14b3768.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 13.0.rem.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 12.3.warz.exe.da3888.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 11.3.bin.exe.10e38a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 11.3.bin.exe.10e66b0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 11.3.bin.exe.10e5118.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 12.3.warz.exe.da3888.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 22.3.images.exe.14b3768.1.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 11.3.bin.exe.10e5118.4.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 22.3.images.exe.14b3768.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 12.3.warz.exe.dba418.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 22.3.images.exe.14ab2f0.10.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 12.3.warz.exe.da3888.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 13.0.rem.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 13.0.rem.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 11.3.bin.exe.10e3430.9.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 11.3.bin.exe.10e5118.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 11.3.bin.exe.10e66b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 11.3.bin.exe.10e3430.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 12.3.warz.exe.da4e20.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 22.3.images.exe.14b3768.9.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 11.3.bin.exe.10e5118.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 22.3.images.exe.14b4d00.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 12.3.warz.exe.da4e20.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 22.2.images.exe.36f8490.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 13.0.rem.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 11.3.bin.exe.10e3430.1.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
                Source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
                Source: 0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: C:\ProgramData\images.exe, type: DROPPEDMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: C:\ProgramData\images.exe, type: DROPPEDMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: C:\ProgramData\images.exe, type: DROPPEDMatched rule: AveMaria_WarZone Author: unknown
                Source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPEDMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPEDMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPEDMatched rule: AveMaria_WarZone Author: unknown
                Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPEDMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPEDMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPEDMatched rule: AveMaria_WarZone Author: unknown
                Source: C:\Users\user\AppData\Local\Temp\rem.exe, type: DROPPEDMatched rule: REMCOS_RAT_variants Author: unknown
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                .NET source code contains very large array initializationsShow sources
                Source: ori4.0dec23sta.exe.4.dr, u003cPrivateImplementationDetailsu003eu007b80ABC6D1u002dAE32u002d45A2u002d9096u002dBC397AAC86F7u007d/u00345943044u002d0066u002d44E2u002d9EC2u002dA29D8D801138.csLarge array initialization: .cctor: array initializer size 11886
                Source: ori2.0dec23sta.exe.4.dr, u003cPrivateImplementationDetailsu003eu007bD1803E16u002d2E0Du002d4EFFu002d8E66u002d1BC2B45C9740u007d/u0030875DE0Cu002d18CDu002d4C1Cu002dB3D5u002dC056A3F3148B.csLarge array initialization: .cctor: array initializer size 11886
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2228
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeCode function: 0_2_014FD43C
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeCode function: 0_2_07818710
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeCode function: 0_2_07810007
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeCode function: 0_2_07810040
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeCode function: 0_2_0781C068
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_00891BF8
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_01031BF8
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_004DD426
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_004DD523
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_004ED5AE
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_004E7646
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_004DD6C4
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_005129BE
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_00516AF4
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_0053ABFC
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_00533C4D
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_00533CBE
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_004DED03
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_00533D2F
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_00533DC0
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_004DCF92
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_004EAFA6
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_04D21D98
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_0050C7BC
                Source: C:\ProgramData\images.exeCode function: 22_2_00341BF8
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeCode function: 23_2_008C2296
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeCode function: 23_2_012A46A0
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeCode function: 23_2_012A4658
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeCode function: 23_2_012AD2F0
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_023C9EC0
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_023CCFAC
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_023CB398
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_023CEBC0
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_023CB338
                Source: rem.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: hawkstartup.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: hawkstartup.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: hawkstartup.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeSection loaded: security.dll
                Source: SW0P9o9ksjpBsnr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: 22.3.images.exe.14b3768.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14b3768.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14b4d00.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14b4d00.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.2.warz.exe.2fef490.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.2.warz.exe.2fef490.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.3.warz.exe.da4e20.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.3.warz.exe.da4e20.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 15.2.cmd.exe.32a8470.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 15.2.cmd.exe.32a8470.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 12.3.warz.exe.da2018.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.3.warz.exe.da2018.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 4.3.SW0P9o9ksjpBsnr.exe.45ab3f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.3.SW0P9o9ksjpBsnr.exe.45ab3f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14ab2f0.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14ab2f0.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 11.3.bin.exe.10e5118.8.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e5118.8.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14b4d00.8.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14b4d00.8.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e5118.8.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e5118.8.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.2.bin.exe.309d490.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 11.2.bin.exe.309d490.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 22.3.images.exe.14b3768.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14b3768.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14b1ef8.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14b1ef8.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 22.3.images.exe.14b3768.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14b3768.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 13.0.rem.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 12.3.warz.exe.da3888.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.3.warz.exe.da3888.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e38a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e38a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 19.2.hawkstartup.exe.2b9c090.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 11.3.bin.exe.10e66b0.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e66b0.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e5118.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e5118.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.3.warz.exe.da3888.9.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.3.warz.exe.da3888.9.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14b3768.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14b3768.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e5118.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e5118.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 22.3.images.exe.14b3768.9.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14b3768.9.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.3.warz.exe.dba418.13.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.3.warz.exe.dba418.13.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 22.3.images.exe.14ab2f0.10.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14ab2f0.10.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.3.warz.exe.da3888.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.3.warz.exe.da3888.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 13.0.rem.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 13.0.rem.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 11.3.bin.exe.10e3430.9.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e3430.9.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 11.3.bin.exe.10e5118.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e5118.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 11.3.bin.exe.10e66b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e66b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 11.3.bin.exe.10e3430.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e3430.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 12.3.warz.exe.da4e20.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.3.warz.exe.da4e20.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14b3768.9.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14b3768.9.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 11.3.bin.exe.10e5118.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e5118.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 22.3.images.exe.14b4d00.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.3.images.exe.14b4d00.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.3.warz.exe.da4e20.8.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.3.warz.exe.da4e20.8.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.2.images.exe.36f8490.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 22.2.images.exe.36f8490.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 13.0.rem.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 11.3.bin.exe.10e3430.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.3.bin.exe.10e3430.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001F.00000002.435763826.00000000081E0000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 0000001F.00000002.435817753.0000000008330000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000001F.00000000.389096338.00000000081E0000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000B.00000000.291654350.00000000009CF000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000000C.00000002.311194083.000000000116F000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000000C.00000003.299504412.0000000000DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000016.00000002.524271296.000000000047F000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000000B.00000002.525512056.00000000009CF000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 00000016.00000003.315134280.00000000014B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 00000016.00000003.315040551.00000000014B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000C.00000003.299610781.0000000000DA2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000000C.00000000.294592566.000000000116F000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000B.00000003.295601289.00000000010E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000001B.00000002.328741916.00000000009CF000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001F.00000000.389208484.0000000008330000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 0000001F.00000000.381363861.0000000008330000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 0000000B.00000003.295697323.00000000010E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000001B.00000000.317999053.00000000009CF000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 00000016.00000000.304645862.000000000047F000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000000B.00000000.290450731.00000000009CF000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000000C.00000000.294916604.000000000116F000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000C.00000003.299968878.0000000000DA2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000B.00000000.291282105.00000000009CF000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000000C.00000000.293514502.000000000116F000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000016.00000003.315520254.00000000014B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001F.00000000.381265988.00000000081E0000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 0000000B.00000000.290889845.00000000009CF000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000C.00000000.294003890.000000000116F000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: C:\ProgramData\images.exe, type: DROPPEDMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: C:\ProgramData\images.exe, type: DROPPEDMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: C:\ProgramData\images.exe, type: DROPPEDMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: C:\ProgramData\images.exe, type: DROPPEDMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPEDMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPEDMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPEDMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPEDMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPEDMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPEDMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPEDMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPEDMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: C:\Users\user\AppData\Local\Temp\rem.exe, type: DROPPEDMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: C:\ProgramData\images.exeCode function: String function: 003335E5 appears 40 times
                Source: C:\ProgramData\images.exeCode function: String function: 00340969 appears 47 times
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: String function: 0051BA9D appears 35 times
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: String function: 00890969 appears 47 times
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: String function: 008835E5 appears 40 times
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: String function: 010235E5 appears 40 times
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: String function: 01030969 appears 47 times
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_0219B0BA NtQuerySystemInformation,
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_0219B089 NtQuerySystemInformation,
                Source: bin.exe.4.drStatic PE information: Resource name: WM_DSP type: PE32 executable (GUI) Intel 80386, for MS Windows
                Source: warz.exe.4.drStatic PE information: Resource name: WM_DSP type: PE32 executable (GUI) Intel 80386, for MS Windows
                Source: SW0P9o9ksjpBsnr.exeBinary or memory string: OriginalFilename vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.295088311.00000000074B0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.295794287.0000000008DD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenamePrivateBinPath.dll" vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.273722749.00000000048B6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287855633.0000000002C91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePrivateBinPath.dll" vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.272239056.0000000003EB6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGAx vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGx vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exeBinary or memory string: OriginalFilename vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.307369542.00000000045AC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.315881747.0000000003ECD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.330768411.0000000004525000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.329717962.0000000003E61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.309595356.0000000003ECE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.313272509.0000000003E61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.313272509.0000000003E61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.286683979.0000000003E61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.286683979.0000000003E61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.315166060.0000000003ECD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.286824707.0000000003ECC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.328524290.00000000044B8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.328524290.00000000044B8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
                Source: SW0P9o9ksjpBsnr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SW0P9o9ksjpBsnr.exe.logJump to behavior
                Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winEXE@46/115@17/5
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088D49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_008930A7 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
                Source: SW0P9o9ksjpBsnr.exeReversingLabs: Detection: 53%
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe "C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe"
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe
                Source: C:\Windows\System32\BackgroundTransferHost.exeProcess created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe" 0
                Source: C:\Windows\System32\BackgroundTransferHost.exeProcess created: C:\Users\user\AppData\Local\Temp\warz.exe "C:\Users\user\AppData\Local\Temp\warz.exe" 0
                Source: C:\Windows\System32\BackgroundTransferHost.exeProcess created: C:\Users\user\AppData\Local\Temp\rem.exe "C:\Users\user\AppData\Local\Temp\rem.exe" 0
                Source: C:\Users\user\AppData\Local\Temp\bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                Source: C:\Users\user\AppData\Local\Temp\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\warz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                Source: C:\Windows\System32\BackgroundTransferHost.exeProcess created: C:\Users\user\AppData\Local\Temp\hawkstartup.exe "C:\Users\user\AppData\Local\Temp\hawkstartup.exe" 0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\warz.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
                Source: C:\Windows\System32\BackgroundTransferHost.exeProcess created: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe "C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe" 0
                Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                Source: C:\Windows\System32\BackgroundTransferHost.exeProcess created: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe "C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe" 0
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe"
                Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2228
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
                Source: C:\Windows\System32\BackgroundTransferHost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\100\100.exe "C:\Users\user\AppData\Roaming\100\100.exe"
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 2232
                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 2232
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\100\100.exe "C:\Users\user\AppData\Roaming\100\100.exe"
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe" 0
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Users\user\AppData\Local\Temp\warz.exe "C:\Users\user\AppData\Local\Temp\warz.exe" 0
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Users\user\AppData\Local\Temp\rem.exe "C:\Users\user\AppData\Local\Temp\rem.exe" 0
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Users\user\AppData\Local\Temp\hawkstartup.exe "C:\Users\user\AppData\Local\Temp\hawkstartup.exe" 0
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe "C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe" 0
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe "C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe" 0
                Source: C:\Users\user\AppData\Local\Temp\bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                Source: C:\Users\user\AppData\Local\Temp\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
                Source: C:\Users\user\AppData\Local\Temp\warz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                Source: C:\Users\user\AppData\Local\Temp\warz.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
                Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_0102F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,
                Source: C:\ProgramData\images.exeCode function: 22_2_0033F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_0219AF3E AdjustTokenPrivileges,
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_0219AF07 AdjustTokenPrivileges,
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeFile created: C:\Users\user\AppData\Local\Temp\bin.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0089290F CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_008920B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                Source: hawkstartup.exe.4.dr, Form1.csBase64 encoded string: 'qTd8VQLAEkmZh9T1lwAg4vNn/06IIYj2+rg5JeHdokwzD7YTfxMi/o4Nmen2Wic0', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_01
                Source: C:\Users\user\AppData\Local\Temp\rem.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-G9IQ8F
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_01
                Source: ori4.0dec23sta.exe.4.dr, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: ori4.0dec23sta.exe.4.dr, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: hawkstartup.exe.4.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: hawkstartup.exe.4.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: hawkstartup.exe.4.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: hawkstartup.exe.4.dr, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: SW0P9o9ksjpBsnr.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                Source: SW0P9o9ksjpBsnr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: C:\Users\user\AppData\Local\Temp\bin.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
                Source: SW0P9o9ksjpBsnr.exeStatic file information: File size 2203648 > 1048576
                Source: SW0P9o9ksjpBsnr.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x219600
                Source: SW0P9o9ksjpBsnr.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, hawkstartup.exe, 00000013.00000002.332921599.0000000002B31000.00000004.00000001.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp

                Data Obfuscation:

                barindex
                .NET source code contains potential unpackerShow sources
                Source: SW0P9o9ksjpBsnr.exe, SettlersOfCatan/SettlersStartScreen.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 0.0.SW0P9o9ksjpBsnr.exe.800000.0.unpack, SettlersOfCatan/SettlersStartScreen.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 0.2.SW0P9o9ksjpBsnr.exe.800000.0.unpack, SettlersOfCatan/SettlersStartScreen.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: hawkstartup.exe.4.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: hawkstartup.exe.4.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: hawkstartup.exe.4.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: hawkstartup.exe.4.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 4.0.SW0P9o9ksjpBsnr.exe.f60000.7.unpack, SettlersOfCatan/SettlersStartScreen.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 4.0.SW0P9o9ksjpBsnr.exe.f60000.11.unpack, SettlersOfCatan/SettlersStartScreen.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 4.0.SW0P9o9ksjpBsnr.exe.f60000.5.unpack, SettlersOfCatan/SettlersStartScreen.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 4.2.SW0P9o9ksjpBsnr.exe.f60000.3.unpack, SettlersOfCatan/SettlersStartScreen.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 4.0.SW0P9o9ksjpBsnr.exe.f60000.15.unpack, SettlersOfCatan/SettlersStartScreen.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 4.0.SW0P9o9ksjpBsnr.exe.f60000.2.unpack, SettlersOfCatan/SettlersStartScreen.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 4.0.SW0P9o9ksjpBsnr.exe.f60000.1.unpack, SettlersOfCatan/SettlersStartScreen.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeCode function: 0_2_00802FA3 push ds; iretd
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeCode function: 0_2_008029FC push ecx; ret
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeCode function: 0_2_0781AE90 pushfd ; ret
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeCode function: 4_2_00F629FC push ecx; ret
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeCode function: 4_2_00F62FA3 push ds; iretd
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_00881190 push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_00881190 push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_01021190 push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_01021190 push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_00540712 push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_00540712 push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_0051B87E push ecx; ret
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_0051BA9D push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_0051BA9D push eax; ret
                Source: C:\ProgramData\images.exeCode function: 22_2_00331190 push eax; ret
                Source: C:\ProgramData\images.exeCode function: 22_2_00331190 push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeCode function: 23_2_012A441C push ss; retf
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeCode function: 23_2_012A3567 push ss; retf
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_021924C4 push esi; ret
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_0219296C push cs; ret
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_0229092F pushfd ; retf
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_02291CA2 pushfd ; retf
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_02291AB8 pushfd ; retf
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_02291CBC pushfd ; retf
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_02291A0C pushfd ; ret
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_022905CF pushfd ; ret
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_022919D0 pushfd ; retf
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088FA42 LoadLibraryA,GetProcAddress,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088D418 NetUserAdd,NetLocalGroupAddMembers,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeFile created: C:\ProgramData\images.exeJump to dropped file
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeFile created: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\warz.exeFile created: C:\ProgramData\images.exeJump to dropped file
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeFile created: C:\Users\user\AppData\Local\Temp\hawkstartup.exeJump to dropped file
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeFile created: C:\Users\user\AppData\Local\Temp\bin.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeFile created: C:\Users\user\AppData\Roaming\Windows Update.exe
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeFile created: C:\Users\user\AppData\Local\Temp\warz.exeJump to dropped file
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeFile created: C:\Users\user\AppData\Local\Temp\rem.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeFile created: C:\Users\user\AppData\Roaming\100\100.exe (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeFile created: C:\Users\user\AppData\Local\Temp\tmpG759.tmp (copy)Jump to dropped file
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeFile created: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_008827D3 URLDownloadToFileW,ShellExecuteW,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_0102AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_0102A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
                Source: C:\ProgramData\images.exeCode function: 22_2_0033AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
                Source: C:\ProgramData\images.exeCode function: 22_2_0033A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,

                Boot Survival:

                barindex
                Creates autostart registry keys with suspicious namesShow sources
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 100
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 100
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 100
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\AppData\Local\Temp\bin.exeFile opened: C:\Users\user\AppData\Local\Temp\bin.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\AppData\Local\Temp\warz.exeFile opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeFile opened: C:\Users\user\AppData\Roaming\100\100.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeFile opened: C:\Users\user\AppData\Roaming\100\100.exe:Zone.Identifier read attributes | delete
                Contains functionality to hide user accountsShow sources
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.294966162.00000000018CC000.00000004.00000001.sdmpString found in binary or memory: ! UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType9 "@
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.284923646.0000000001893000.00000004.00000001.sdmpString found in binary or memory: ! UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType9 "@
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.291709456.0000000004593000.00000004.00000001.sdmpString found in binary or memory: ! UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType9 "@
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.286875051.0000000001893000.00000004.00000001.sdmpString found in binary or memory: ! UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType9 "@
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmpString found in binary or memory: ! UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType9 "@
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.314218745.0000000001903000.00000004.00000001.sdmpString found in binary or memory: ! UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType9 "@
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.324999984.0000000001904000.00000004.00000001.sdmpString found in binary or memory: ! UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType9 "@
                Source: bin.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: bin.exe, 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: bin.exe, 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: bin.exe, 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: bin.exe, 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: bin.exe, 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: bin.exe, 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: bin.exe, 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: bin.exe, 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: bin.exe, 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: bin.exe, 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: bin.exe, 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: bin.exe, 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: warz.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: warz.exe, 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: warz.exe, 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: warz.exe, 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: warz.exe, 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: warz.exe, 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: warz.exe, 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: warz.exe, 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: warz.exe, 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: images.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: images.exe, 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: images.exe, 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: images.exe, 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: images.exe, 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: images.exe, 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: images.exe, 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\rem.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\rem.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Yara detected AntiVM3Show sources
                Source: Yara matchFile source: 00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeFunction Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,memAlloc,threadDelayed,threadDelayed,processSet,processSet,processSet,processSet,threadDelayed,fileCreated,processSet,processSet
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe TID: 3752Thread sleep time: -33730s >= -30000s
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe TID: 5796Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bin.exe TID: 6484Thread sleep count: 60 > 30
                Source: C:\Users\user\AppData\Local\Temp\bin.exe TID: 6484Thread sleep time: -65000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\warz.exe TID: 6548Thread sleep count: 60 > 30
                Source: C:\Users\user\AppData\Local\Temp\rem.exe TID: 6756Thread sleep time: -30000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\rem.exe TID: 6752Thread sleep count: 82 > 30
                Source: C:\Users\user\AppData\Local\Temp\rem.exe TID: 6752Thread sleep time: -49200000s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6884Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6744Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\cmd.exe TID: 6928Thread sleep count: 826 > 30
                Source: C:\Windows\SysWOW64\cmd.exe TID: 6928Thread sleep time: -9912000s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6980Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6936Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe TID: 6984Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe TID: 6972Thread sleep time: -922337203685477s >= -30000s
                Source: C:\ProgramData\images.exe TID: 6828Thread sleep count: 60 > 30
                Source: C:\ProgramData\images.exe TID: 6828Thread sleep time: -65000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe TID: 6284Thread sleep time: -21213755684765971s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe TID: 6288Thread sleep count: 5580 > 30
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe TID: 6288Thread sleep count: 4155 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6464Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe TID: 4460Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe TID: 4460Thread sleep count: 133 > 30
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe TID: 4460Thread sleep time: -3990000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe TID: 2892Thread sleep count: 36 > 30
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe TID: 4460Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe TID: 4736Thread sleep count: 321 > 30
                Source: C:\Users\user\AppData\Local\Temp\bin.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\ProgramData\images.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,
                Source: C:\ProgramData\images.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\rem.exeThread delayed: delay time: 600000
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5042
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 638
                Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 826
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4975
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 391
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeWindow / User API: threadDelayed 5580
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeWindow / User API: threadDelayed 4155
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7025
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1326
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeThread delayed: delay time: 33730
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\rem.exeThread delayed: delay time: 600000
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeThread delayed: delay time: 30000
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeThread delayed: delay time: 30000
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0089002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmpBinary or memory string: vmware
                Source: bin.exe, 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, bin.exe, 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, bin.exe, 0000000B.00000002.530516262.00000000010D8000.00000004.00000020.sdmp, bin.exe, 0000000B.00000003.295910913.00000000010D8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
                Source: ori4.0dec23sta.exe, 00000017.00000002.540819805.0000000006720000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_00889DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088FF27 FindFirstFileW,FindNextFileW,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_01029DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_0102FF27 FindFirstFileW,FindNextFileW,
                Source: C:\ProgramData\images.exeCode function: 22_2_00339DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
                Source: C:\ProgramData\images.exeCode function: 22_2_0033FF27 FindFirstFileW,FindNextFileW,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088FA42 LoadLibraryA,GetProcAddress,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0089094E mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_00890619 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_00890620 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_0103094E mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_01030619 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_01030620 mov eax, dword ptr fs:[00000030h]
                Source: C:\ProgramData\images.exeCode function: 22_2_0034094E mov eax, dword ptr fs:[00000030h]
                Source: C:\ProgramData\images.exeCode function: 22_2_00340620 mov eax, dword ptr fs:[00000030h]
                Source: C:\ProgramData\images.exeCode function: 22_2_00340619 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_00881085 GetProcessHeap,RtlAllocateHeap,
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeCode function: 26_2_023C4E62 LdrInitializeThunk,
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Allocates memory in foreign processesShow sources
                Source: C:\Users\user\AppData\Local\Temp\bin.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 31E0000 protect: page execute and read and write
                Source: C:\Users\user\AppData\Local\Temp\bin.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 3270000 protect: page read and write
                Source: C:\ProgramData\images.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 2390000 protect: page execute and read and write
                Source: C:\ProgramData\images.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 23A0000 protect: page read and write
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeMemory written: C:\Windows\System32\BackgroundTransferHost.exe base: 400000 value starts with: 4D5A
                Creates a thread in another existing process (thread injection)Show sources
                Source: C:\Users\user\AppData\Local\Temp\bin.exeThread created: C:\Windows\SysWOW64\cmd.exe EIP: 31E010E
                Source: C:\ProgramData\images.exeThread created: C:\Windows\SysWOW64\cmd.exe EIP: 239010E
                Adds a directory exclusion to Windows DefenderShow sources
                Source: C:\Users\user\AppData\Local\Temp\bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                Source: C:\Users\user\AppData\Local\Temp\warz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                Source: C:\Users\user\AppData\Local\Temp\bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                Source: C:\Users\user\AppData\Local\Temp\warz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
                Writes to foreign memory regionsShow sources
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeMemory written: C:\Windows\System32\BackgroundTransferHost.exe base: 400000
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeMemory written: C:\Windows\System32\BackgroundTransferHost.exe base: 401000
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeMemory written: C:\Windows\System32\BackgroundTransferHost.exe base: 403000
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeMemory written: C:\Windows\System32\BackgroundTransferHost.exe base: 13BB008
                Source: C:\Users\user\AppData\Local\Temp\bin.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 31E0000
                Source: C:\Users\user\AppData\Local\Temp\bin.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 3270000
                Source: C:\ProgramData\images.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 2390000
                Source: C:\ProgramData\images.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 23A0000
                .NET source code references suspicious native API functionsShow sources
                Source: ori4.0dec23sta.exe.4.dr, A/b2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                Source: hawkstartup.exe.4.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: hawkstartup.exe.4.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: ori2.0dec23sta.exe.4.dr, A/b2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                Contains functionality to inject threads in other processesShow sources
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_00891FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_008879E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_010279E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: 12_2_01031FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,
                Source: C:\ProgramData\images.exeCode function: 22_2_00341FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,
                Source: C:\ProgramData\images.exeCode function: 22_2_003379E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe
                Source: C:\ProgramData\images.exeCode function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe" 0
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Users\user\AppData\Local\Temp\warz.exe "C:\Users\user\AppData\Local\Temp\warz.exe" 0
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Users\user\AppData\Local\Temp\rem.exe "C:\Users\user\AppData\Local\Temp\rem.exe" 0
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Users\user\AppData\Local\Temp\hawkstartup.exe "C:\Users\user\AppData\Local\Temp\hawkstartup.exe" 0
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe "C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe" 0
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeProcess created: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe "C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe" 0
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_008918BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,
                Source: bin.exe, 0000000B.00000002.531576321.0000000001730000.00000002.00020000.sdmp, cmd.exe, 0000000F.00000002.529850717.0000000004050000.00000002.00020000.sdmp, images.exe, 00000016.00000002.529035079.0000000001D10000.00000002.00020000.sdmp, ori4.0dec23sta.exe, 00000017.00000002.533860532.0000000001660000.00000002.00020000.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.532548189.0000000000D80000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                Source: bin.exe, 0000000B.00000002.531576321.0000000001730000.00000002.00020000.sdmp, cmd.exe, 0000000F.00000002.529850717.0000000004050000.00000002.00020000.sdmp, images.exe, 00000016.00000002.529035079.0000000001D10000.00000002.00020000.sdmp, ori4.0dec23sta.exe, 00000017.00000002.533860532.0000000001660000.00000002.00020000.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.532548189.0000000000D80000.00000002.00020000.sdmpBinary or memory string: Progman
                Source: bin.exe, 0000000B.00000002.531576321.0000000001730000.00000002.00020000.sdmp, cmd.exe, 0000000F.00000002.529850717.0000000004050000.00000002.00020000.sdmp, images.exe, 00000016.00000002.529035079.0000000001D10000.00000002.00020000.sdmp, ori4.0dec23sta.exe, 00000017.00000002.533860532.0000000001660000.00000002.00020000.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.532548189.0000000000D80000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                Source: bin.exe, 0000000B.00000002.531576321.0000000001730000.00000002.00020000.sdmp, cmd.exe, 0000000F.00000002.529850717.0000000004050000.00000002.00020000.sdmp, images.exe, 00000016.00000002.529035079.0000000001D10000.00000002.00020000.sdmp, ori4.0dec23sta.exe, 00000017.00000002.533860532.0000000001660000.00000002.00020000.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.532548189.0000000000D80000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                Source: bin.exe, 0000000B.00000002.531576321.0000000001730000.00000002.00020000.sdmp, cmd.exe, 0000000F.00000002.529850717.0000000004050000.00000002.00020000.sdmp, images.exe, 00000016.00000002.529035079.0000000001D10000.00000002.00020000.sdmp, ori4.0dec23sta.exe, 00000017.00000002.533860532.0000000001660000.00000002.00020000.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.532548189.0000000000D80000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeQueries volume information: unknown VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088F93F cpuid
                Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: 11_2_0088882F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,GetLocalTime,wsprintfW,lstrcatW,CreateFileW,CloseHandle,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA,

                Lowering of HIPS / PFW / Operating System Security Settings:

                barindex
                Increases the number of concurrent connection per server for Internet ExplorerShow sources
                Source: C:\Users\user\AppData\Local\Temp\bin.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected MailPassViewShow sources
                Source: Yara matchFile source: 19.2.hawkstartup.exe.52fa72.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.11.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.14.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000001F.00000002.433914627.00000000047A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000000.357769555.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.378931650.00000000047A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000000.356939795.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000000.357301492.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.386194733.00000000047A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.364309945.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: hawkstartup.exe PID: 6776, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: hawkstartup.exe PID: 6776, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 26.0.ori2.0dec23sta.exe.d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.0.ori2.0dec23sta.exe.d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.0.ori2.0dec23sta.exe.d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.0.ori4.0dec23sta.exe.8c0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.0.ori4.0dec23sta.exe.8c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.ori4.0dec23sta.exe.8c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.0.ori4.0dec23sta.exe.8c0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.ori2.0dec23sta.exe.d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.0.ori4.0dec23sta.exe.8c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.0.ori2.0dec23sta.exe.d0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000017.00000000.312592775.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000000.423572403.0000000000552000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.315881747.0000000003ECD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000003.364545271.00000000056D1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.309595356.0000000003ECE000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000029.00000000.387431044.0000000000682000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000029.00000002.429550823.0000000000682000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000000.322486737.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000000.324705647.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.523856737.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000000.317498484.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000000.313041784.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.523672410.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.523858136.0000000000552000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000000.317967503.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000000.311207048.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000000.311917188.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\100\100.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe, type: DROPPED
                Source: Yara matchFile source: 00000004.00000003.307369542.00000000045AC000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.330768411.0000000004525000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.329717962.0000000003E61000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.313272509.0000000003E61000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.286683979.0000000003E61000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.315166060.0000000003ECD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.535180538.0000000002961000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.286824707.0000000003ECC000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.328524290.00000000044B8000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000029.00000002.432258770.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ori4.0dec23sta.exe PID: 6988, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ori2.0dec23sta.exe PID: 7112, type: MEMORYSTR
                Yara detected Remcos RATShow sources
                Source: Yara matchFile source: 13.0.rem.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.rem.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.rem.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.rem.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000000.296555205.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.297395374.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.298936574.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.298035428.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rem.exe PID: 6564, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\rem.exe, type: DROPPED
                Yara detected AveMaria stealerShow sources
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.291260710.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.293488925.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.300135911.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.328585434.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000000.317967942.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.290415827.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000003.315866343.000000000149C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000003.314784536.00000000014A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.290858967.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.300261604.0000000000D8C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.299137914.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.294897016.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.293955227.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\ProgramData\images.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Contains functionality to steal e-mail passwordsShow sources
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: POP3 Password
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: SMTP Password
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: IMAP Password
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: POP3 Password
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: SMTP Password
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: IMAP Password
                Source: C:\ProgramData\images.exeCode function: POP3 Password
                Source: C:\ProgramData\images.exeCode function: SMTP Password
                Source: C:\ProgramData\images.exeCode function: IMAP Password
                Yara detected WebBrowserPassView password recovery toolShow sources
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d9c0d.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000001F.00000002.433914627.00000000047A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.378931650.00000000047A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000023.00000002.377528498.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000023.00000000.360954968.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000023.00000000.361387046.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.386194733.00000000047A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000023.00000000.359702071.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: hawkstartup.exe PID: 6776, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                Contains functionality to steal Chrome passwords or cookiesShow sources
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: \Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Local\Temp\bin.exeCode function: \Chromium\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: \Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Local\Temp\warz.exeCode function: \Chromium\User Data\Default\Login Data
                Source: C:\ProgramData\images.exeCode function: \Google\Chrome\User Data\Default\Login Data
                Source: C:\ProgramData\images.exeCode function: \Chromium\User Data\Default\Login Data
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.291260710.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.293488925.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.300135911.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.328585434.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000000.317967942.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.290415827.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000003.315866343.000000000149C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000003.314784536.00000000014A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.290858967.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.300261604.0000000000D8C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.535180538.0000000002961000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.299137914.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000029.00000002.432258770.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.294897016.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.293955227.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: bin.exe PID: 6480, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: warz.exe PID: 6544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: images.exe PID: 6824, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ori4.0dec23sta.exe PID: 6988, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ori2.0dec23sta.exe PID: 7112, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\images.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED

                Remote Access Functionality:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: hawkstartup.exe PID: 6776, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 26.0.ori2.0dec23sta.exe.d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.0.ori2.0dec23sta.exe.d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.0.ori2.0dec23sta.exe.d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.0.ori4.0dec23sta.exe.8c0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.0.ori4.0dec23sta.exe.8c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.ori4.0dec23sta.exe.8c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.0.ori4.0dec23sta.exe.8c0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.ori2.0dec23sta.exe.d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.0.ori4.0dec23sta.exe.8c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.0.ori2.0dec23sta.exe.d0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000017.00000000.312592775.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000000.423572403.0000000000552000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.315881747.0000000003ECD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000003.364545271.00000000056D1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.309595356.0000000003ECE000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000029.00000000.387431044.0000000000682000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000029.00000002.429550823.0000000000682000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000000.322486737.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000000.324705647.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.523856737.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000000.317498484.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000000.313041784.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.523672410.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.523858136.0000000000552000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000000.317967503.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000000.311207048.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000000.311917188.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\100\100.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe, type: DROPPED
                Source: Yara matchFile source: 00000004.00000003.307369542.00000000045AC000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.330768411.0000000004525000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.329717962.0000000003E61000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.313272509.0000000003E61000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.286683979.0000000003E61000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.315166060.0000000003ECD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000030.00000002.535180538.0000000002961000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.286824707.0000000003ECC000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.328524290.00000000044B8000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000029.00000002.432258770.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ori4.0dec23sta.exe PID: 6988, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ori2.0dec23sta.exe PID: 7112, type: MEMORYSTR
                Yara detected Remcos RATShow sources
                Source: Yara matchFile source: 13.0.rem.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.rem.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.rem.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.rem.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000000.296555205.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.297395374.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.298936574.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.298035428.0000000000454000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rem.exe PID: 6564, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\rem.exe, type: DROPPED
                Detected HawkEye RatShow sources
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: hawkstartup.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                Source: hawkstartup.exeString found in binary or memory: HawkEyeKeylogger
                Source: hawkstartup.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                Source: hawkstartup.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                Source: hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: hawkstartup.exe, 00000013.00000002.332921599.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Yara detected AveMaria stealerShow sources
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.291260710.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.293488925.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.300135911.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.328585434.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000000.317967942.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.290415827.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000003.315866343.000000000149C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000003.314784536.00000000014A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.290858967.0000000000894000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.300261604.0000000000D8C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000003.299137914.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.294897016.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.293955227.0000000001034000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\ProgramData\images.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
                Detected Remcos RATShow sources
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
                Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmpString found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov|
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
                Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmpString found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov|
                Source: rem.exe, 0000000D.00000000.296555205.0000000000454000.00000002.00020000.sdmpString found in binary or memory: Remcos_Mutex_Inj
                Source: rem.exe, 0000000D.00000000.296555205.0000000000454000.00000002.00020000.sdmpString found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov|
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_04DA0E9E bind,
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_04DA0A8E listen,
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_04DA0A50 listen,
                Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exeCode function: 19_2_04DA0E6B bind,

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Replication Through Removable Media1Windows Management Instrumentation211DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools21OS Credential Dumping3System Time Discovery1Replication Through Removable Media1Archive Collected Data12Exfiltration Over Other Network MediumIngress Tool Transfer24Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationEndpoint Denial of Service1
                Default AccountsNative API21Create Account1Access Token Manipulation1Deobfuscate/Decode Files or Information11Input Capture131Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsService Execution2Windows Service1Windows Service1Obfuscated Files or Information31Credentials In Files1System Service Discovery1SMB/Windows Admin SharesInput Capture131Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Registry Run Keys / Startup Folder11Process Injection522Software Packing11NTDSFile and Directory Discovery3Distributed Component Object ModelClipboard Data1Scheduled TransferRemote Access Software2SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder11DLL Side-Loading1LSA SecretsSystem Information Discovery124SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading3Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol13Jamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncSecurity Software Discovery321Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemVirtualization/Sandbox Evasion131Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection522/etc/passwd and /etc/shadowProcess Discovery3Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingApplication Window Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Users1Input CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingSystem Network Configuration Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 547727 Sample: SW0P9o9ksjpBsnr.exe Startdate: 04/01/2022 Architecture: WINDOWS Score: 100 71 whatismyipaddress.com 104.16.155.36, 49765, 80 CLOUDFLARENETUS United States 2->71 73 smtp.privateemail.com 66.29.159.53, 49792, 49795, 49797 ADVANTAGECOMUS United States 2->73 75 3 other IPs or domains 2->75 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for dropped file 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 22 other signatures 2->87 10 SW0P9o9ksjpBsnr.exe 3 2->10         started        signatures3 process4 file5 69 C:\Users\user\...\SW0P9o9ksjpBsnr.exe.log, ASCII 10->69 dropped 115 Writes to foreign memory regions 10->115 117 Injects a PE file into a foreign processes 10->117 14 BackgroundTransferHost.exe 13 10->14         started        16 SW0P9o9ksjpBsnr.exe 7 10->16         started        signatures6 process7 file8 19 warz.exe 1 4 14->19         started        23 bin.exe 4 2 14->23         started        25 ori2.0dec23sta.exe 14->25         started        28 3 other processes 14->28 47 C:\Users\user\AppData\Local\Temp\warz.exe, PE32 16->47 dropped 49 C:\Users\user\AppData\Local\Temp\rem.exe, PE32 16->49 dropped 51 C:\Users\user\AppData\...\ori4.0dec23sta.exe, PE32 16->51 dropped 53 3 other malicious files 16->53 dropped process9 dnsIp10 55 C:\ProgramData\images.exe, PE32 19->55 dropped 89 Antivirus detection for dropped file 19->89 91 Multi AV Scanner detection for dropped file 19->91 93 Machine Learning detection for dropped file 19->93 95 Adds a directory exclusion to Windows Defender 19->95 30 images.exe 19->30         started        33 powershell.exe 19->33         started        97 Contains functionality to inject threads in other processes 23->97 99 Contains functionality to steal Chrome passwords or cookies 23->99 101 Contains functionality to steal e-mail passwords 23->101 111 4 other signatures 23->111 35 powershell.exe 25 23->35         started        37 cmd.exe 23->37         started        77 smtp.privateemail.com 25->77 57 C:\Users\user\AppData\Roaming\100\100.exe, PE32 25->57 dropped 59 C:\Users\user\AppData\...\tmpG223.tmp (copy), PE32 25->59 dropped 103 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->103 105 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 25->105 107 Creates autostart registry keys with suspicious names 25->107 113 2 other signatures 25->113 79 185.157.161.174, 1975, 49756, 49757 OBE-EUROPEObenetworkEuropeSE Sweden 28->79 61 C:\Users\user\AppData\...\Windows Update.exe, PE32 28->61 dropped 63 C:\Users\user\AppData\...\100.exe (copy), PE32 28->63 dropped 65 C:\Users\user\AppData\...\tmpG759.tmp (copy), PE32 28->65 dropped 67 C:\Users\user\AppData\...\hawkstartup.exe.log, ASCII 28->67 dropped 109 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->109 file11 signatures12 process13 signatures14 119 Antivirus detection for dropped file 30->119 121 Multi AV Scanner detection for dropped file 30->121 123 Machine Learning detection for dropped file 30->123 125 7 other signatures 30->125 39 powershell.exe 30->39         started        41 conhost.exe 33->41         started        43 conhost.exe 35->43         started        45 conhost.exe 37->45         started        process15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SW0P9o9ksjpBsnr.exe53%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                SW0P9o9ksjpBsnr.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\100\100.exe100%AviraTR/Spy.Gen8
                C:\ProgramData\images.exe100%AviraTR/Redcap.ghjpt
                C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe100%AviraTR/Spy.Gen8
                C:\Users\user\AppData\Local\Temp\bin.exe100%AviraTR/Redcap.ghjpt
                C:\Users\user\AppData\Local\Temp\warz.exe100%AviraTR/Redcap.ghjpt
                C:\Users\user\AppData\Local\Temp\hawkstartup.exe100%AviraTR/AD.MExecute.lzrac
                C:\Users\user\AppData\Local\Temp\hawkstartup.exe100%AviraSPR/Tool.MailPassView.473
                C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe100%AviraTR/Spy.Gen8
                C:\Users\user\AppData\Roaming\Windows Update.exe100%AviraTR/AD.MExecute.lzrac
                C:\Users\user\AppData\Roaming\Windows Update.exe100%AviraSPR/Tool.MailPassView.473
                C:\Users\user\AppData\Roaming\100\100.exe100%Joe Sandbox ML
                C:\ProgramData\images.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\bin.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\warz.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\hawkstartup.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\rem.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Windows Update.exe100%Joe Sandbox ML
                C:\ProgramData\images.exe76%MetadefenderBrowse
                C:\ProgramData\images.exe89%ReversingLabsWin32.Backdoor.Remcos
                C:\Users\user\AppData\Local\Temp\bin.exe76%MetadefenderBrowse
                C:\Users\user\AppData\Local\Temp\bin.exe89%ReversingLabsWin32.Backdoor.Remcos
                C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe86%ReversingLabsByteCode-MSIL.Infostealer.DarkStealer
                C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe51%MetadefenderBrowse
                C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe86%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                C:\Users\user\AppData\Local\Temp\rem.exe50%MetadefenderBrowse
                C:\Users\user\AppData\Local\Temp\rem.exe86%ReversingLabsWin32.Trojan.Remcos
                C:\Users\user\AppData\Local\Temp\tmpG223.tmp (copy)86%ReversingLabsByteCode-MSIL.Infostealer.DarkStealer
                C:\Users\user\AppData\Local\Temp\tmpG759.tmp (copy)51%MetadefenderBrowse
                C:\Users\user\AppData\Local\Temp\tmpG759.tmp (copy)86%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                C:\Users\user\AppData\Local\Temp\warz.exe76%MetadefenderBrowse
                C:\Users\user\AppData\Local\Temp\warz.exe89%ReversingLabsWin32.Backdoor.Remcos

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                12.0.warz.exe.1020000.6.unpack100%AviraTR/Redcap.ghjptDownload File
                26.0.ori2.0dec23sta.exe.d0000.0.unpack100%AviraHEUR/AGEN.1143187Download File
                12.2.warz.exe.1020000.0.unpack100%AviraTR/Redcap.ghjptDownload File
                19.0.hawkstartup.exe.4d0000.4.unpack100%AviraTR/AD.MExecute.lzracDownload File
                19.0.hawkstartup.exe.4d0000.4.unpack100%AviraSPR/Tool.MailPassView.473Download File
                22.0.images.exe.330000.0.unpack100%AviraTR/Redcap.ghjptDownload File
                11.0.bin.exe.880000.6.unpack100%AviraTR/Redcap.ghjptDownload File
                26.0.ori2.0dec23sta.exe.d0000.2.unpack100%AviraHEUR/AGEN.1143187Download File
                4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack100%AviraTR/Redcap.ghjptDownload File
                4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack100%AviraTR/Redcap.ghjptDownload File
                4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack100%AviraTR/AD.MExecute.lzracDownload File
                4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack100%AviraSPR/Tool.MailPassView.473Download File
                4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                11.0.bin.exe.880000.2.unpack100%AviraTR/Redcap.ghjptDownload File
                22.3.images.exe.14ab2f0.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
                11.0.bin.exe.880000.4.unpack100%AviraTR/Redcap.ghjptDownload File
                19.0.hawkstartup.exe.4d0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                19.0.hawkstartup.exe.4d0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                11.0.bin.exe.880000.0.unpack100%AviraTR/Redcap.ghjptDownload File
                22.2.images.exe.330000.0.unpack100%AviraTR/Redcap.ghjptDownload File
                19.0.hawkstartup.exe.4d0000.12.unpack100%AviraTR/AD.MExecute.lzracDownload File
                19.0.hawkstartup.exe.4d0000.12.unpack100%AviraSPR/Tool.MailPassView.473Download File
                26.0.ori2.0dec23sta.exe.d0000.1.unpack100%AviraHEUR/AGEN.1143187Download File
                4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack100%AviraTR/Redcap.ghjptDownload File
                4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack100%AviraTR/Redcap.ghjptDownload File
                4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                22.3.images.exe.14ab2f0.10.unpack100%AviraTR/Patched.Ren.Gen2Download File
                19.0.hawkstartup.exe.4d0000.8.unpack100%AviraTR/AD.MExecute.lzracDownload File
                19.0.hawkstartup.exe.4d0000.8.unpack100%AviraSPR/Tool.MailPassView.473Download File
                0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack100%AviraTR/Dropper.GenDownload File
                23.0.ori4.0dec23sta.exe.8c0000.1.unpack100%AviraHEUR/AGEN.1143187Download File
                4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack100%AviraTR/Redcap.ghjptDownload File
                4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack100%AviraTR/Redcap.ghjptDownload File
                4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack100%AviraTR/AD.MExecute.lzracDownload File
                4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack100%AviraSPR/Tool.MailPassView.473Download File
                4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                11.2.bin.exe.880000.0.unpack100%AviraTR/Redcap.ghjptDownload File
                4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack100%AviraTR/Redcap.ghjptDownload File
                4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack100%AviraTR/Redcap.ghjptDownload File
                4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack100%AviraTR/AD.MExecute.lzracDownload File
                4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack100%AviraSPR/Tool.MailPassView.473Download File
                4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack100%AviraTR/Redcap.ghjptDownload File
                4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack100%AviraTR/Redcap.ghjptDownload File
                4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack100%AviraTR/AD.MExecute.lzracDownload File
                4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack100%AviraSPR/Tool.MailPassView.473Download File
                4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                23.0.ori4.0dec23sta.exe.8c0000.3.unpack100%AviraHEUR/AGEN.1143187Download File
                23.2.ori4.0dec23sta.exe.8c0000.0.unpack100%AviraHEUR/AGEN.1143187Download File
                26.2.ori2.0dec23sta.exe.d0000.0.unpack100%AviraHEUR/AGEN.1143187Download File
                23.0.ori4.0dec23sta.exe.8c0000.2.unpack100%AviraHEUR/AGEN.1143187Download File
                19.2.hawkstartup.exe.4d0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                19.2.hawkstartup.exe.4d0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                12.0.warz.exe.1020000.2.unpack100%AviraTR/Redcap.ghjptDownload File
                23.0.ori4.0dec23sta.exe.8c0000.0.unpack100%AviraHEUR/AGEN.1143187Download File
                26.0.ori2.0dec23sta.exe.d0000.3.unpack100%AviraHEUR/AGEN.1143187Download File
                12.0.warz.exe.1020000.4.unpack100%AviraTR/Redcap.ghjptDownload File
                12.0.warz.exe.1020000.0.unpack100%AviraTR/Redcap.ghjptDownload File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://hWWJFF.com0%Avira URL Cloudsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                https://KXOf8Lcd51drIxRwI.orgd=0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://ocsp.sectigo.com00%URL Reputationsafe
                https://KXOf8Lcd51drIxRwI.org0%Avira URL Cloudsafe
                http://www.tiro.com20%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.tiro.comB0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                https://KXOf8Lcd51drIxRwI.org810%Avira URL Cloudsafe
                http://www.carterandcone.comC0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.monotypeimaging.c0%Avira URL Cloudsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sajatypeworks.come0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://www.carterandcone.comslnt0%Avira URL Cloudsafe
                http://www.sajatypeworks.comAt0%Avira URL Cloudsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                https://KXOf8Lcd51drIxRwI.orgInProcServer320%Avira URL Cloudsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://crl.c0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                https://KXOf8Lcd51drIxRwI.orgInprocHandler0%Avira URL Cloudsafe
                http://CDIeMO.com0%Avira URL Cloudsafe
                http://www.fontbureau.comceaY0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                whatismyipaddress.com
                104.16.155.36
                truefalse
                  high
                  smtp.privateemail.com
                  66.29.159.53
                  truefalse
                    high
                    9.96.11.0.in-addr.arpa
                    unknown
                    unknownfalse
                      high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://whatismyipaddress.com/false
                        high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://hWWJFF.comori4.0dec23sta.exe, 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://127.0.0.1:HTTP/1.1ori4.0dec23sta.exe, 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        http://www.fontbureau.com/designersGSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                          high
                          https://KXOf8Lcd51drIxRwI.orgd=ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          low
                          http://www.fontbureau.com/designers/?SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                            high
                            http://www.founder.com.cn/cn/bTheSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://ocsp.sectigo.com0ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542269823.0000000005787000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542156248.0000000005766000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539098632.0000000002B7B000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542032843.0000000005741000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539285143.0000000002BAD000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://KXOf8Lcd51drIxRwI.orgori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.tiro.com2SW0P9o9ksjpBsnr.exe, 00000000.00000003.257996177.0000000005E38000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.fontbureau.com/designers?SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                              high
                              http://www.tiro.comSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.257996177.0000000005E38000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers/PSW0P9o9ksjpBsnr.exe, 00000000.00000003.261362055.0000000005E3B000.00000004.00000001.sdmpfalse
                                high
                                http://www.fontbureau.com/designersSW0P9o9ksjpBsnr.exe, 00000000.00000003.266401934.0000000005E35000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.goodfont.co.krSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.carterandcone.comSW0P9o9ksjpBsnr.exe, 00000000.00000003.260790631.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262146733.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265990762.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260434103.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264954192.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260700997.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263684825.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265098574.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.259763834.0000000005E34000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260592186.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265825518.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000002.294573838.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260474258.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264340395.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.261362055.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260825749.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263708707.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266616856.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260218923.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260536702.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260626401.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263588322.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264079426.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266401934.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.286537446.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262166074.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260655683.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264467499.0000000005E36000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.tiro.comBSW0P9o9ksjpBsnr.exe, 00000000.00000003.257996177.0000000005E38000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://github.com/syohex/java-simple-mine-sweeperbin.exe, warz.exe, images.exefalse
                                    high
                                    http://www.sajatypeworks.comSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.255889807.0000000005E4B000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.typography.netDSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.founder.com.cn/cn/cTheSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://fontfabrik.comSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://KXOf8Lcd51drIxRwI.org81ori4.0dec23sta.exe, 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.carterandcone.comCSW0P9o9ksjpBsnr.exe, 00000000.00000003.260790631.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262146733.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265990762.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260434103.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264954192.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260700997.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263684825.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265098574.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.259763834.0000000005E34000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260592186.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265825518.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000002.294573838.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260474258.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264340395.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.261362055.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260825749.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263708707.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266616856.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260218923.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260536702.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260626401.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263588322.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264079426.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266401934.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.286537446.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262166074.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260655683.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264467499.0000000005E36000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://whatismyipaddress.com/-SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpfalse
                                      high
                                      http://www.galapagosdesign.com/DPleaseSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      https://login.yahoo.com/config/loginhawkstartup.exefalse
                                        high
                                        http://www.fonts.comSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.sandoll.co.krSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.monotypeimaging.cSW0P9o9ksjpBsnr.exe, 00000000.00000003.257920284.0000000005E38000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.urwpp.deDPleaseSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.nirsoft.net/hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmpfalse
                                            high
                                            http://www.zhongyicts.com.cnSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.sajatypeworks.comeSW0P9o9ksjpBsnr.exe, 00000000.00000003.255889807.0000000005E4B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.sakkal.comSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260218923.0000000005E36000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.307369542.00000000045AC000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.315881747.0000000003ECD000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.330768411.0000000004525000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.329717962.0000000003E61000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.309595356.0000000003ECE000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.313272509.0000000003E61000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.286683979.0000000003E61000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.315166060.0000000003ECD000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.286824707.0000000003ECC000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.328524290.00000000044B8000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmp, ori4.0dec23sta.exe, ori4.0dec23sta.exe, 00000017.00000000.312592775.00000000008C2000.00000002.00020000.sdmp, ori4.0dec23sta.exe, 00000017.00000002.540819805.0000000006720000.00000004.00000001.sdmp, ori2.0dec23sta.exe, ori2.0dec23sta.exe, 0000001A.00000003.364545271.00000000056D1000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000000.322486737.00000000000D2000.00000002.00020000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542269823.0000000005787000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542156248.0000000005766000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539098632.0000000002B7B000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542032843.0000000005741000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539285143.0000000002BAD000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.apache.org/licenses/LICENSE-2.0SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.fontbureau.comSW0P9o9ksjpBsnr.exe, 00000000.00000002.287717053.0000000001507000.00000004.00000040.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                                high
                                                http://DynDns.comDynDNSori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://sectigo.com/CPS0ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542269823.0000000005787000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542156248.0000000005766000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539098632.0000000002B7B000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542032843.0000000005741000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539285143.0000000002BAD000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.carterandcone.comslntSW0P9o9ksjpBsnr.exe, 00000000.00000003.260790631.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262146733.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265990762.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260434103.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264954192.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260700997.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263684825.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265098574.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.259763834.0000000005E34000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260592186.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265825518.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000002.294573838.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260474258.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264340395.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.261362055.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260825749.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263708707.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266616856.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260218923.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260536702.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260626401.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263588322.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264079426.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266401934.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.286537446.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262166074.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260655683.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264467499.0000000005E36000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.sajatypeworks.comAtSW0P9o9ksjpBsnr.exe, 00000000.00000003.255889807.0000000005E4B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://smtp.privateemail.comori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.carterandcone.comlSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlNSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                                    high
                                                    https://KXOf8Lcd51drIxRwI.orgInProcServer32ori2.0dec23sta.exe, 0000001A.00000002.540786312.00000000049F0000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.founder.com.cn/cnSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.257920284.0000000005E38000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.fontbureau.com/designers/frere-jones.htmlSW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://crl.cori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.jiyu-kobo.co.jp/SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://KXOf8Lcd51drIxRwI.orgInprocHandlerori2.0dec23sta.exe, 0000001A.00000002.540836311.0000000004A00000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.fontbureau.com/designers8SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmpfalse
                                                        high
                                                        https://www.google.com/accounts/serviceloginhawkstartup.exefalse
                                                          high
                                                          https://github.com/syohex/java-simple-mine-sweeperC:SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.294966162.00000000018CC000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.284923646.0000000001893000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.291709456.0000000004593000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.286875051.0000000001893000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.314218745.0000000001903000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.324999984.0000000001904000.00000004.00000001.sdmp, bin.exe, 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, bin.exe, 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp, bin.exe, 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp, bin.exe, 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, bin.exe, 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp, bin.exe, 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, warz.exe, 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp, warz.exe, 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, warz.exe, 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, warz.exe, 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp, images.exe, 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp, images.exe, 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, images.exe, 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmpfalse
                                                            high
                                                            http://CDIeMO.comori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://www.fontbureau.comceaYSW0P9o9ksjpBsnr.exe, 00000000.00000002.287717053.0000000001507000.00000004.00000040.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            185.157.161.174
                                                            unknownSweden
                                                            197595OBE-EUROPEObenetworkEuropeSEtrue
                                                            104.16.155.36
                                                            whatismyipaddress.comUnited States
                                                            13335CLOUDFLARENETUSfalse
                                                            66.29.159.53
                                                            smtp.privateemail.comUnited States
                                                            19538ADVANTAGECOMUSfalse

                                                            Private

                                                            IP
                                                            192.168.2.1
                                                            127.0.0.1

                                                            General Information

                                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                                            Analysis ID:547727
                                                            Start date:04.01.2022
                                                            Start time:15:04:39
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 15m 5s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:SW0P9o9ksjpBsnr.exe
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                            Number of analysed new started processes analysed:50
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.phis.troj.spyw.expl.evad.winEXE@46/115@17/5
                                                            EGA Information:Failed
                                                            HDC Information:
                                                            • Successful, ratio: 26.9% (good quality ratio 24.8%)
                                                            • Quality average: 79%
                                                            • Quality standard deviation: 30%
                                                            HCA Information:
                                                            • Successful, ratio: 64%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found application associated with file extension: .exe
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                            • TCP Packets have been reduced to 100
                                                            • Created / dropped Files have been reduced to 100
                                                            • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.42.73.29, 52.168.117.173
                                                            • Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            15:05:49API Interceptor1x Sleep call for process: SW0P9o9ksjpBsnr.exe modified
                                                            15:06:03AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Images C:\Users\user\AppData\Local\Temp\bin.exe
                                                            15:06:05API Interceptor91x Sleep call for process: rem.exe modified
                                                            15:06:06API Interceptor111x Sleep call for process: powershell.exe modified
                                                            15:06:08API Interceptor1592x Sleep call for process: cmd.exe modified
                                                            15:06:24API Interceptor424x Sleep call for process: ori2.0dec23sta.exe modified
                                                            15:06:24API Interceptor21x Sleep call for process: Windows Update.exe modified
                                                            15:06:27API Interceptor567x Sleep call for process: ori4.0dec23sta.exe modified
                                                            15:06:27AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                            15:06:35API Interceptor1x Sleep call for process: dw20.exe modified
                                                            15:06:36AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 100 C:\Users\user\AppData\Roaming\100\100.exe
                                                            15:06:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                            15:06:52AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 100 C:\Users\user\AppData\Roaming\100\100.exe
                                                            15:06:59API Interceptor233x Sleep call for process: 100.exe modified
                                                            15:07:03API Interceptor1x Sleep call for process: WerFault.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            No context

                                                            Domains

                                                            No context

                                                            ASN

                                                            No context

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\ProgramData\images.exe
                                                            Process:C:\Users\user\AppData\Local\Temp\warz.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):115712
                                                            Entropy (8bit):6.3755741620209365
                                                            Encrypted:false
                                                            SSDEEP:1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE01Ne:K1VmhaH8EFvW+0OVE0f
                                                            MD5:1D90A7DA17807F64F1699E5EA2091A36
                                                            SHA1:94BC36E1791CF32A00CBCED56BBC26B9FCDB83BC
                                                            SHA-256:1B7C4871410C1AF15640CF7524EB887EF4AA416027B727FE6D32ED48DAD03A5E
                                                            SHA-512:5592D140691F092AD46D38FC1A635D1F5206A796180146894AEE0FE2101D957F4BFFA0CE968A5E074182D2CBAAB9903E67413A06CD9CC54C112220E77A555F98
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\ProgramData\images.exe, Author: Florian Roth
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\ProgramData\images.exe, Author: Florian Roth
                                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\ProgramData\images.exe, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: C:\ProgramData\images.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\ProgramData\images.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: C:\ProgramData\images.exe, Author: Joe Security
                                                            • Rule: AveMaria_WarZone, Description: unknown, Source: C:\ProgramData\images.exe, Author: unknown
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: Metadefender, Detection: 76%, Browse
                                                            • Antivirus: ReversingLabs, Detection: 89%
                                                            Reputation:unknown
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z]..><..><..><...3.?<..7D..?<...3.<<......?<......=<..;0..?<..7D..:<..7D..!<..><...<...U..N<...Um.?<...U..?<..Rich><..........PE..L.....I_.................0...........\.......@....@..........................@............@..................................w..........p,................... .......u...............................................@..p............................text............0.................. ..`.rdata...I...@...J...4..............@..@.data....P...........~..............@....rsrc...p,..........................@..@.reloc....... ......................@..B.bss.........0......................@..@................................................................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\hawkstartup.exe.log
                                                            Process:C:\Users\user\AppData\Local\Temp\hawkstartup.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):916
                                                            Entropy (8bit):5.282390836641403
                                                            Encrypted:false
                                                            SSDEEP:24:MLF20NaL3z2p29hJ5g522rW2xAi3AP26K95rKoO2+g2+:MwLLD2Y9h3go2rxxAcAO6ox+g2+
                                                            MD5:5AD8E7ABEADADAC4CE06FF693476581A
                                                            SHA1:81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E
                                                            SHA-256:BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
                                                            SHA-512:7793E78E84AD36CE65B5B1C015364E340FB9110FAF199BC0234108CE9BCB1AEDACBD25C6A012AC99740E08BEA5E5C373A88E553E47016304D8AE6AEEAB58EBFF
                                                            Malicious:true
                                                            Reputation:unknown
                                                            Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..
                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SW0P9o9ksjpBsnr.exe.log
                                                            Process:C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.355304211458859
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                            MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                            SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                            SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                            SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                            Malicious:true
                                                            Reputation:unknown
                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):22368
                                                            Entropy (8bit):5.603645337088908
                                                            Encrypted:false
                                                            SSDEEP:384:HtCDhhikbvV/K/SZO090C+RcS0nkjultIi/7Y9gxSJ3xST1MaDZlbAV7LjUQZu5M:ClK/SQYjTkCltd7xcgCSfwf0Vk
                                                            MD5:991B2C2382791C58F60FAEA90A28C248
                                                            SHA1:0859021B1C373C875CA0EC5C5D4EF6176E3E1F63
                                                            SHA-256:D97E42F64A7686C8E3B0730F5B227229B50A9BD43ECF277363F0FFB0E3BC660E
                                                            SHA-512:8DCEE70DF93E1CAD9165260A467FA10BA1EFF8A1BE8AEEE2D5623BB832B430E54FAD9D09DFC076B3393305C59BA6063C9E0582CE554B48FD24FC4A2EB660FEBF
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: @...e...................h.................J..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                            C:\Users\user\AppData\Local\Temp\SysInfo.txt
                                                            Process:C:\Users\user\AppData\Local\Temp\hawkstartup.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):50
                                                            Entropy (8bit):4.328367439558377
                                                            Encrypted:false
                                                            SSDEEP:3:oNUkh4E2J5xAI4LyJ:oN923f4yJ
                                                            MD5:0E653EA1CA5B51AE6B0407A3B06ABDB2
                                                            SHA1:3215A0FB9DFF9E5206F4EA532083883667CCA1B2
                                                            SHA-256:342B658E9D2BF4EC676BE1E0825D358E795FB25EC950181226160D8D59A4A348
                                                            SHA-512:8E5550682036905321BDFB687C1A85453D1316633816126CEB9EA3140C79E25B606581457893AEC666D22DC97467345EE02E901AF8B0E571C2B07B883A459917
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: C:\Users\user\AppData\Local\Temp\hawkstartup.exe
                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4rgqrzb1.mio.ps1
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: 1
                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eu3ejk2l.dei.psm1
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: 1
                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f30gmf23.2tk.psm1
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: 1
                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jhvqfjsx.lnn.ps1
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: 1
                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ssu14o0g.t05.ps1
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: 1
                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_who4ph3w.f4y.psm1
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: 1
                                                            C:\Users\user\AppData\Local\Temp\bin.exe
                                                            Process:C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):115712
                                                            Entropy (8bit):6.375962866007663
                                                            Encrypted:false
                                                            SSDEEP:1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE01:K1VmhaH8EFvW+0OVE0
                                                            MD5:805FBB84293E86F25B566A5B2C2815D2
                                                            SHA1:5712F69EAFCA434E4D6CDFD8081EBFB728708C25
                                                            SHA-256:E78FCD503A6B0A663AB4A72B97C010C932840998DA05784BA75F7D6802EA822F
                                                            SHA-512:5927584ABABC4C2D533984C607A96590D1640B6939D33E9F994B684F38F1541DFDC1D0778F5DBE586353C46BEBC3A7F0E46A1156F34E5748AB31FF0AF16807A2
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\bin.exe, Author: Florian Roth
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\bin.exe, Author: Florian Roth
                                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\bin.exe, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: C:\Users\user\AppData\Local\Temp\bin.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\bin.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: C:\Users\user\AppData\Local\Temp\bin.exe, Author: Joe Security
                                                            • Rule: AveMaria_WarZone, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\bin.exe, Author: unknown
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: Metadefender, Detection: 76%, Browse
                                                            • Antivirus: ReversingLabs, Detection: 89%
                                                            Reputation:unknown
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z]..><..><..><...3.?<..7D..?<...3.<<......?<......=<..;0..?<..7D..:<..7D..!<..><...<...U..N<...Um.?<...U..?<..Rich><..........PE..L.....I_.................0...........\.......@....@..........................@............@..................................w..........p,................... .......u...............................................@..p............................text............0.................. ..`.rdata...I...@...J...4..............@..@.data....P...........~..............@....rsrc...p,..........................@..@.reloc....... ......................@..B.bss.........0......................@..@................................................................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Local\Temp\hawkstartup.exe
                                                            Process:C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):532992
                                                            Entropy (8bit):6.50689182620986
                                                            Encrypted:false
                                                            SSDEEP:6144:XujqWRdUbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9w:IdUQtqB5urTIoYWBQk1E+VF9mOx9wi
                                                            MD5:AEAF1943FB037B6529873D7CC47CE137
                                                            SHA1:146F9F3451B53A95C7783903C522EC873AE05B80
                                                            SHA-256:D28142C344D44B16AD7B4B0FB8634B2AD3BF8638BC001CDDC3872B5892B01DF1
                                                            SHA-512:1DDAA2CD43597B8B25E609113FC005B6CD8384B40197731E7BD8DEB182A94493B741726867849594979FBF7E983EEDC1532016E7C26D54DCA573585B1B8871CA
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, Author: Arnim Rupp
                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, Author: Joe Security
                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, Author: JPCERT/CC Incident Response Group
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Reputation:unknown
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J..a.....................4........... ........@.. ....................................@.................................X...S.... ...2...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....2... ...2..................@..@.reloc.......`....... ..............@..B........................H.......0}..(..............X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......
                                                            C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe
                                                            Process:C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):220672
                                                            Entropy (8bit):6.055847125653901
                                                            Encrypted:false
                                                            SSDEEP:3072:LVQD9iZkWDVXgc5YOoNUJtJRzRM34QoZaexsVw3Ny5PSv4+ckvDXZFNVQYUygYj:Licg5UHNMAZTsYyEv4+hLZh1U
                                                            MD5:421138225D5DEE81805C5E5072898504
                                                            SHA1:2FF010EA34F2967839B35BE9F60D95AAD4BA73D1
                                                            SHA-256:E2B9FA401F76BAB3AC4E4121DA34804699A143F3F8DF13E4BA14885671EB2804
                                                            SHA-512:5C1CFBA4446BFF8BE8CA0345C60D74685E08991FC316E89B705EFAB65B9E066D540E7D75C781736ECDD6FF4AA0900BF73B8463218AAC378BEB02D7B12B43473A
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe, Author: Joe Security
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 86%
                                                            Reputation:unknown
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................V..........Nt... ........@.. ....................................@..................................s..O.................................................................................... ............... ..H............text...TT... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B................0t......H.......T.................................................................(....*..(....*.s.........s.........s.........s.........*...0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0............+......,........,........,.+.+...(....(....*...0..(.........+......,........,........,.+.+..(....*.0..,.......
                                                            C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe
                                                            Process:C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):221184
                                                            Entropy (8bit):6.0611591430910705
                                                            Encrypted:false
                                                            SSDEEP:3072:h9W62gdD+uiigULgEVbF2nAbTIAfdXUiuC4kQdMDfS0RyCdMjVwuNyqrs8SnKV3i:hyCanArxULLdmHunyp8SKxzal6GTC
                                                            MD5:F41809BC71EEB2C3B1676309139216A8
                                                            SHA1:C012A5FFB060A5B841D17D6BB82602D01364901C
                                                            SHA-256:7E6D00EB0D8DA711EAD4C519CA281C294066BC3BC2146EB62918998AE3C54E34
                                                            SHA-512:F27FE07EEAA7CC1FC622631404F8A30F7C81FB804765788C6CEE43FE72EF0F10717CE654DD1F2A1A928177E3168B69136A6B9CBE05EE4C83034D8C9940728FB6
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe, Author: Joe Security
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: Metadefender, Detection: 51%, Browse
                                                            • Antivirus: ReversingLabs, Detection: 86%
                                                            Reputation:unknown
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..a.................V..........>u... ........@.. ....................................@..................................t..K....... ............................................................................ ............... ..H............text...DU... ...V.................. ..`.rsrc... ............X..............@..@.reloc...............^..............@..B................ u......H........................................................................(....*..(....*.s.........s.........s.........s.........*...0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0............+......,........,........,.+.+...(....(....*...0..(.........+......,........,........,.+.+..(....*.0..,.......
                                                            C:\Users\user\AppData\Local\Temp\rem.exe
                                                            Process:C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):474112
                                                            Entropy (8bit):6.5805818899521675
                                                            Encrypted:false
                                                            SSDEEP:12288:iegN0jfYLclGb0bVT6e+MT2MffZS/gzSYo:ENywLclGIeMT2MXZRzSV
                                                            MD5:9E764165FBA9E86937643D84A2F4E063
                                                            SHA1:0AACD8A74DE058034C1B9224F8CD82E5B7D07102
                                                            SHA-256:DD925001A61D7D233BF538D891975F242E205FF1A40935332076BF85FCDE6271
                                                            SHA-512:3AA4E36FF823CBA55737464FDFA85B1195A86BE36265FCF05EBE3B28DE3510FE3AE79C14F1DEB21B26C599D643ADE5B7230E822E849476E655883FDBA3145685
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\rem.exe, Author: Joe Security
                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\rem.exe, Author: unknown
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: Metadefender, Detection: 50%, Browse
                                                            • Antivirus: ReversingLabs, Detection: 86%
                                                            Reputation:unknown
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}4V..gV..gV..g...gD..g...g...g...gH..g_.gW..g.<.gT..gm..fL..gm..fl..gm..ft..g_.gC..gV..g...g...f...g...gW..g...fW..gRichV..g........PE..L...s..a.................,..........r........@....@.................................................................................. ...K...................p..49.. }..8....................}......X}..@............@...............................text....+.......,.................. ..`.rdata...p...@...r...0..............@..@.data....>..........................@....tls................................@....gfids..0...........................@..@.rsrc....K... ...L..................@..@.reloc..49...p...:..................@..B................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Local\Temp\tmpG223.tmp (copy)
                                                            Process:C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):0
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3072:LVQD9iZkWDVXgc5YOoNUJtJRzRM34QoZaexsVw3Ny5PSv4+ckvDXZFNVQYUygYj:Licg5UHNMAZTsYyEv4+hLZh1U
                                                            MD5:421138225D5DEE81805C5E5072898504
                                                            SHA1:2FF010EA34F2967839B35BE9F60D95AAD4BA73D1
                                                            SHA-256:E2B9FA401F76BAB3AC4E4121DA34804699A143F3F8DF13E4BA14885671EB2804
                                                            SHA-512:5C1CFBA4446BFF8BE8CA0345C60D74685E08991FC316E89B705EFAB65B9E066D540E7D75C781736ECDD6FF4AA0900BF73B8463218AAC378BEB02D7B12B43473A
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 86%
                                                            Reputation:unknown
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................V..........Nt... ........@.. ....................................@..................................s..O.................................................................................... ............... ..H............text...TT... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B................0t......H.......T.................................................................(....*..(....*.s.........s.........s.........s.........*...0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0............+......,........,........,.+.+...(....(....*...0..(.........+......,........,........,.+.+..(....*.0..,.......
                                                            C:\Users\user\AppData\Local\Temp\tmpG759.tmp (copy)
                                                            Process:C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):221184
                                                            Entropy (8bit):6.0611591430910705
                                                            Encrypted:false
                                                            SSDEEP:3072:h9W62gdD+uiigULgEVbF2nAbTIAfdXUiuC4kQdMDfS0RyCdMjVwuNyqrs8SnKV3i:hyCanArxULLdmHunyp8SKxzal6GTC
                                                            MD5:F41809BC71EEB2C3B1676309139216A8
                                                            SHA1:C012A5FFB060A5B841D17D6BB82602D01364901C
                                                            SHA-256:7E6D00EB0D8DA711EAD4C519CA281C294066BC3BC2146EB62918998AE3C54E34
                                                            SHA-512:F27FE07EEAA7CC1FC622631404F8A30F7C81FB804765788C6CEE43FE72EF0F10717CE654DD1F2A1A928177E3168B69136A6B9CBE05EE4C83034D8C9940728FB6
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Metadefender, Detection: 51%, Browse
                                                            • Antivirus: ReversingLabs, Detection: 86%
                                                            Reputation:unknown
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..a.................V..........>u... ........@.. ....................................@..................................t..K....... ............................................................................ ............... ..H............text...DU... ...V.................. ..`.rsrc... ............X..............@..@.reloc...............^..............@..B................ u......H........................................................................(....*..(....*.s.........s.........s.........s.........*...0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0............+......,........,........,.+.+...(....(....*...0..(.........+......,........,........,.+.+..(....*.0..,.......
                                                            C:\Users\user\AppData\Local\Temp\warz.exe
                                                            Process:C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):115712
                                                            Entropy (8bit):6.3755741620209365
                                                            Encrypted:false
                                                            SSDEEP:1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE01Ne:K1VmhaH8EFvW+0OVE0f
                                                            MD5:1D90A7DA17807F64F1699E5EA2091A36
                                                            SHA1:94BC36E1791CF32A00CBCED56BBC26B9FCDB83BC
                                                            SHA-256:1B7C4871410C1AF15640CF7524EB887EF4AA416027B727FE6D32ED48DAD03A5E
                                                            SHA-512:5592D140691F092AD46D38FC1A635D1F5206A796180146894AEE0FE2101D957F4BFFA0CE968A5E074182D2CBAAB9903E67413A06CD9CC54C112220E77A555F98
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\warz.exe, Author: Florian Roth
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\warz.exe, Author: Florian Roth
                                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\warz.exe, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: C:\Users\user\AppData\Local\Temp\warz.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\warz.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: C:\Users\user\AppData\Local\Temp\warz.exe, Author: Joe Security
                                                            • Rule: AveMaria_WarZone, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\warz.exe, Author: unknown
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: Metadefender, Detection: 76%, Browse
                                                            • Antivirus: ReversingLabs, Detection: 89%
                                                            Reputation:unknown
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z]..><..><..><...3.?<..7D..?<...3.<<......?<......=<..;0..?<..7D..:<..7D..!<..><...<...U..N<...Um.?<...U..?<..Rich><..........PE..L.....I_.................0...........\.......@....@..........................@............@..................................w..........p,................... .......u...............................................@..p............................text............0.................. ..`.rdata...I...@...J...4..............@..@.data....P...........~..............@....rsrc...p,..........................@..@.reloc....... ......................@..B.bss.........0......................@..@................................................................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Roaming\100\100.exe
                                                            Process:C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):0
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3072:h9W62gdD+uiigULgEVbF2nAbTIAfdXUiuC4kQdMDfS0RyCdMjVwuNyqrs8SnKV3i:hyCanArxULLdmHunyp8SKxzal6GTC
                                                            MD5:F41809BC71EEB2C3B1676309139216A8
                                                            SHA1:C012A5FFB060A5B841D17D6BB82602D01364901C
                                                            SHA-256:7E6D00EB0D8DA711EAD4C519CA281C294066BC3BC2146EB62918998AE3C54E34
                                                            SHA-512:F27FE07EEAA7CC1FC622631404F8A30F7C81FB804765788C6CEE43FE72EF0F10717CE654DD1F2A1A928177E3168B69136A6B9CBE05EE4C83034D8C9940728FB6
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Roaming\100\100.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Roaming\100\100.exe, Author: Joe Security
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Reputation:unknown
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..a.................V..........>u... ........@.. ....................................@..................................t..K....... ............................................................................ ............... ..H............text...DU... ...V.................. ..`.rsrc... ............X..............@..@.reloc...............^..............@..B................ u......H........................................................................(....*..(....*.s.........s.........s.........s.........*...0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0............+......,........,........,.+.+...(....(....*...0..(.........+......,........,........,.+.+..(....*.0..,.......
                                                            C:\Users\user\AppData\Roaming\100\100.exe (copy)
                                                            Process:C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):221184
                                                            Entropy (8bit):6.0611591430910705
                                                            Encrypted:false
                                                            SSDEEP:3072:h9W62gdD+uiigULgEVbF2nAbTIAfdXUiuC4kQdMDfS0RyCdMjVwuNyqrs8SnKV3i:hyCanArxULLdmHunyp8SKxzal6GTC
                                                            MD5:F41809BC71EEB2C3B1676309139216A8
                                                            SHA1:C012A5FFB060A5B841D17D6BB82602D01364901C
                                                            SHA-256:7E6D00EB0D8DA711EAD4C519CA281C294066BC3BC2146EB62918998AE3C54E34
                                                            SHA-512:F27FE07EEAA7CC1FC622631404F8A30F7C81FB804765788C6CEE43FE72EF0F10717CE654DD1F2A1A928177E3168B69136A6B9CBE05EE4C83034D8C9940728FB6
                                                            Malicious:true
                                                            Reputation:unknown
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..a.................V..........>u... ........@.. ....................................@..................................t..K....... ............................................................................ ............... ..H............text...DU... ...V.................. ..`.rsrc... ............X..............@..@.reloc...............^..............@..B................ u......H........................................................................(....*..(....*.s.........s.........s.........s.........*...0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0............+......,........,........,.+.+...(....(....*...0..(.........+......,........,........,.+.+..(....*.0..,.......
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_150604.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):794025
                                                            Entropy (8bit):7.943882793165034
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/Quv+M:ZSiGvxfK7ZMWSFpC6p8FE/Qq//H
                                                            MD5:D4EB61682F95D08DFC9567306B5C9B16
                                                            SHA1:34A411C597C5774E7982E344BF1420F34F5ABAA6
                                                            SHA-256:C23663D85A5FCEB40BFE6DC6BDB316DD71D200947DED160ABB69C616A876541E
                                                            SHA-512:44F44C55D416D6650E0EBBB9F0F51A5D93633545F48CD997744446F39E93386021054465523B3B9AE231BAC0EA407062417CAD59E5E68885BA5C793243DCA758
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_151605.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):794030
                                                            Entropy (8bit):7.9439270855102535
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/Quv+3:ZSiGvxfK7ZMWSFpC6p8FE/Qj29n+
                                                            MD5:50E6CD211911C31C62D4B423DB6E9AB5
                                                            SHA1:6820D4090D87DF1E352CE7D16389A032DAEBFF4A
                                                            SHA-256:5039764FD5E0567D1730317580C3EBFEEB7B17BC7E52F2CD24BEF8AF68774B90
                                                            SHA-512:D2FC1719A0B8C8BD6137D51A46960A10036C029DD9E82B7DCBE82D13209D36AF46F119F1B762E85E408E376BA643446E104912EE0A4C3E929BB900EEDA5228B2
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_152610.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):794683
                                                            Entropy (8bit):7.944435033884138
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//funJ:ZSiGvxfK7ZMWSFpC6p8FE//fuKkhCjg/
                                                            MD5:7AE836421A27084740BFF84057CB37DA
                                                            SHA1:DA2AD34E16A411976EAB29F30DA2E38D347D8B7C
                                                            SHA-256:E4B46D63A37A05D9028A7CF6CE2293441F42051B3D0225714CE9326CB3619872
                                                            SHA-512:8AA4F8B5B64D2C167791BE6D8A90F569A78737E41AAC543BA9A1DFA44D332E13019C46E197246C09C2D59A9340C78A152FB4DAF725A1AE18D02846EA7F11CFED
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_153610.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):794683
                                                            Entropy (8bit):7.944435033884138
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//funJ:ZSiGvxfK7ZMWSFpC6p8FE//fuKkhCjg/
                                                            MD5:7AE836421A27084740BFF84057CB37DA
                                                            SHA1:DA2AD34E16A411976EAB29F30DA2E38D347D8B7C
                                                            SHA-256:E4B46D63A37A05D9028A7CF6CE2293441F42051B3D0225714CE9326CB3619872
                                                            SHA-512:8AA4F8B5B64D2C167791BE6D8A90F569A78737E41AAC543BA9A1DFA44D332E13019C46E197246C09C2D59A9340C78A152FB4DAF725A1AE18D02846EA7F11CFED
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_154611.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):794683
                                                            Entropy (8bit):7.944435033884138
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//funJ:ZSiGvxfK7ZMWSFpC6p8FE//fuKkhCjg/
                                                            MD5:7AE836421A27084740BFF84057CB37DA
                                                            SHA1:DA2AD34E16A411976EAB29F30DA2E38D347D8B7C
                                                            SHA-256:E4B46D63A37A05D9028A7CF6CE2293441F42051B3D0225714CE9326CB3619872
                                                            SHA-512:8AA4F8B5B64D2C167791BE6D8A90F569A78737E41AAC543BA9A1DFA44D332E13019C46E197246C09C2D59A9340C78A152FB4DAF725A1AE18D02846EA7F11CFED
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_155617.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810256
                                                            Entropy (8bit):7.944174173318863
                                                            Encrypted:false
                                                            SSDEEP:24576:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcZvCSvP:QDfLWE/b8D/vP
                                                            MD5:2BA8EC6BC5415D932D8C2306FA8F9CF7
                                                            SHA1:6409E0F33958EA38B12DD23430CCA4745BE51127
                                                            SHA-256:9546F04506AD850EA65E7707EA6B5FA2DA579AF43D9C5D98071FADB9C05958AE
                                                            SHA-512:6F2476A7F72CEF8157174F0A64BF44D8C30B70980435810499ECD6AF54AA858DBE56D94A6D17BEC99790865B1769018DEA57CBF2F2519EC31B7C60A2DC465BC4
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_160618.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810256
                                                            Entropy (8bit):7.944174173318863
                                                            Encrypted:false
                                                            SSDEEP:24576:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcZvCSvP:QDfLWE/b8D/vP
                                                            MD5:2BA8EC6BC5415D932D8C2306FA8F9CF7
                                                            SHA1:6409E0F33958EA38B12DD23430CCA4745BE51127
                                                            SHA-256:9546F04506AD850EA65E7707EA6B5FA2DA579AF43D9C5D98071FADB9C05958AE
                                                            SHA-512:6F2476A7F72CEF8157174F0A64BF44D8C30B70980435810499ECD6AF54AA858DBE56D94A6D17BEC99790865B1769018DEA57CBF2F2519EC31B7C60A2DC465BC4
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_161618.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810256
                                                            Entropy (8bit):7.944174173318863
                                                            Encrypted:false
                                                            SSDEEP:24576:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcZvCSvP:QDfLWE/b8D/vP
                                                            MD5:2BA8EC6BC5415D932D8C2306FA8F9CF7
                                                            SHA1:6409E0F33958EA38B12DD23430CCA4745BE51127
                                                            SHA-256:9546F04506AD850EA65E7707EA6B5FA2DA579AF43D9C5D98071FADB9C05958AE
                                                            SHA-512:6F2476A7F72CEF8157174F0A64BF44D8C30B70980435810499ECD6AF54AA858DBE56D94A6D17BEC99790865B1769018DEA57CBF2F2519EC31B7C60A2DC465BC4
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_162619.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810256
                                                            Entropy (8bit):7.944174173318863
                                                            Encrypted:false
                                                            SSDEEP:24576:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcZvCSvP:QDfLWE/b8D/vP
                                                            MD5:2BA8EC6BC5415D932D8C2306FA8F9CF7
                                                            SHA1:6409E0F33958EA38B12DD23430CCA4745BE51127
                                                            SHA-256:9546F04506AD850EA65E7707EA6B5FA2DA579AF43D9C5D98071FADB9C05958AE
                                                            SHA-512:6F2476A7F72CEF8157174F0A64BF44D8C30B70980435810499ECD6AF54AA858DBE56D94A6D17BEC99790865B1769018DEA57CBF2F2519EC31B7C60A2DC465BC4
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_163620.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810256
                                                            Entropy (8bit):7.944174173318863
                                                            Encrypted:false
                                                            SSDEEP:24576:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcZvCSvP:QDfLWE/b8D/vP
                                                            MD5:2BA8EC6BC5415D932D8C2306FA8F9CF7
                                                            SHA1:6409E0F33958EA38B12DD23430CCA4745BE51127
                                                            SHA-256:9546F04506AD850EA65E7707EA6B5FA2DA579AF43D9C5D98071FADB9C05958AE
                                                            SHA-512:6F2476A7F72CEF8157174F0A64BF44D8C30B70980435810499ECD6AF54AA858DBE56D94A6D17BEC99790865B1769018DEA57CBF2F2519EC31B7C60A2DC465BC4
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_164620.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810256
                                                            Entropy (8bit):7.944174173318863
                                                            Encrypted:false
                                                            SSDEEP:24576:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcZvCSvP:QDfLWE/b8D/vP
                                                            MD5:2BA8EC6BC5415D932D8C2306FA8F9CF7
                                                            SHA1:6409E0F33958EA38B12DD23430CCA4745BE51127
                                                            SHA-256:9546F04506AD850EA65E7707EA6B5FA2DA579AF43D9C5D98071FADB9C05958AE
                                                            SHA-512:6F2476A7F72CEF8157174F0A64BF44D8C30B70980435810499ECD6AF54AA858DBE56D94A6D17BEC99790865B1769018DEA57CBF2F2519EC31B7C60A2DC465BC4
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_165621.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810256
                                                            Entropy (8bit):7.944174173318863
                                                            Encrypted:false
                                                            SSDEEP:24576:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcZvCSvP:QDfLWE/b8D/vP
                                                            MD5:2BA8EC6BC5415D932D8C2306FA8F9CF7
                                                            SHA1:6409E0F33958EA38B12DD23430CCA4745BE51127
                                                            SHA-256:9546F04506AD850EA65E7707EA6B5FA2DA579AF43D9C5D98071FADB9C05958AE
                                                            SHA-512:6F2476A7F72CEF8157174F0A64BF44D8C30B70980435810499ECD6AF54AA858DBE56D94A6D17BEC99790865B1769018DEA57CBF2F2519EC31B7C60A2DC465BC4
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_170621.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810256
                                                            Entropy (8bit):7.944174173318863
                                                            Encrypted:false
                                                            SSDEEP:24576:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcZvCSvP:QDfLWE/b8D/vP
                                                            MD5:2BA8EC6BC5415D932D8C2306FA8F9CF7
                                                            SHA1:6409E0F33958EA38B12DD23430CCA4745BE51127
                                                            SHA-256:9546F04506AD850EA65E7707EA6B5FA2DA579AF43D9C5D98071FADB9C05958AE
                                                            SHA-512:6F2476A7F72CEF8157174F0A64BF44D8C30B70980435810499ECD6AF54AA858DBE56D94A6D17BEC99790865B1769018DEA57CBF2F2519EC31B7C60A2DC465BC4
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_171622.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810256
                                                            Entropy (8bit):7.944174173318863
                                                            Encrypted:false
                                                            SSDEEP:24576:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcZvCSvP:QDfLWE/b8D/vP
                                                            MD5:2BA8EC6BC5415D932D8C2306FA8F9CF7
                                                            SHA1:6409E0F33958EA38B12DD23430CCA4745BE51127
                                                            SHA-256:9546F04506AD850EA65E7707EA6B5FA2DA579AF43D9C5D98071FADB9C05958AE
                                                            SHA-512:6F2476A7F72CEF8157174F0A64BF44D8C30B70980435810499ECD6AF54AA858DBE56D94A6D17BEC99790865B1769018DEA57CBF2F2519EC31B7C60A2DC465BC4
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_172623.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810256
                                                            Entropy (8bit):7.944174173318863
                                                            Encrypted:false
                                                            SSDEEP:24576:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcZvCSvP:QDfLWE/b8D/vP
                                                            MD5:2BA8EC6BC5415D932D8C2306FA8F9CF7
                                                            SHA1:6409E0F33958EA38B12DD23430CCA4745BE51127
                                                            SHA-256:9546F04506AD850EA65E7707EA6B5FA2DA579AF43D9C5D98071FADB9C05958AE
                                                            SHA-512:6F2476A7F72CEF8157174F0A64BF44D8C30B70980435810499ECD6AF54AA858DBE56D94A6D17BEC99790865B1769018DEA57CBF2F2519EC31B7C60A2DC465BC4
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_173623.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810256
                                                            Entropy (8bit):7.944174173318863
                                                            Encrypted:false
                                                            SSDEEP:24576:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcZvCSvP:QDfLWE/b8D/vP
                                                            MD5:2BA8EC6BC5415D932D8C2306FA8F9CF7
                                                            SHA1:6409E0F33958EA38B12DD23430CCA4745BE51127
                                                            SHA-256:9546F04506AD850EA65E7707EA6B5FA2DA579AF43D9C5D98071FADB9C05958AE
                                                            SHA-512:6F2476A7F72CEF8157174F0A64BF44D8C30B70980435810499ECD6AF54AA858DBE56D94A6D17BEC99790865B1769018DEA57CBF2F2519EC31B7C60A2DC465BC4
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_174624.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810256
                                                            Entropy (8bit):7.944174173318863
                                                            Encrypted:false
                                                            SSDEEP:24576:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcZvCSvP:QDfLWE/b8D/vP
                                                            MD5:2BA8EC6BC5415D932D8C2306FA8F9CF7
                                                            SHA1:6409E0F33958EA38B12DD23430CCA4745BE51127
                                                            SHA-256:9546F04506AD850EA65E7707EA6B5FA2DA579AF43D9C5D98071FADB9C05958AE
                                                            SHA-512:6F2476A7F72CEF8157174F0A64BF44D8C30B70980435810499ECD6AF54AA858DBE56D94A6D17BEC99790865B1769018DEA57CBF2F2519EC31B7C60A2DC465BC4
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_175625.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):801724
                                                            Entropy (8bit):7.94317946801279
                                                            Encrypted:false
                                                            SSDEEP:12288:UNGZS9+Wp0T9e4Lm8504VFeerXxR4WnQDnX5qKHaG1uVuOOMg:L6+WC9H504NR404oKHayOOr
                                                            MD5:F461190699F2E3869CC1C766851E93A5
                                                            SHA1:41F8EB6AB8A70AF682765602D1EC1FF80A9A3F99
                                                            SHA-256:DE0F627C7C6FD648FDD15C4A5EB710F42E9A64EDD7D8E6FE83B43F3C8926EE6A
                                                            SHA-512:46C6764F9D1428145FB29FFDAB17CBF96D81E56A9871EEB73D7A271CC2DFFC80DD6A19647F9C59193F55F721E489E7568B29F6C4DFFD5F8EDEB36AE19A889F9D
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....Fy...17.K'..._.N1......\L.\.H!..B..L(....1..4..jlz16=$..C..)..t..66.?.H..o.....j..y_.....]if4.I3.|.........k.Q.....m7....{.7iem..F..y.2..y..[D....-k.i..V..s...o...I....b..y7.~=..k.o6cO.........\...vm..b....g}..u.Zp..9.Xn....K3....~6.}....{.'.[.,.._.v..n./HSG....4.Ge....=....p...n.{.u.%".........-.<........ .\.l..e..{6.{a..b.r.`...........:n.......?l64FqDc.....b........j.....n...PK\.....}o..._.+_......s.5...>.u<.......O.".....X......h.7.}x..#=.,.=.|R....R.\H..Q..c...O..{.u...'..5..q...M.e.X.....8.B.v...XZ...f..{...4.=9';.x.S.q4..n .,@ .OP.h;>....1D...UJ&.x2.qBu..o..y......E...[...&.8..6.H..d{f=.I..0...@c.G2......c......?....N.$..C.......^4...><..[.,....3X[.,m.m...}.3..6......,.+.u}..g[h.....K.`y....p..U..Nh".'..>..Fm.n.....t.2.#(...6..L....tls.,v~.= z<.I.i.` +..S..O&vB....6...Z....>v.. ......xQ.4u.B....]..`..*.T.m.....:........+s(.?)..E..]........
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_180625.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810256
                                                            Entropy (8bit):7.944174173318863
                                                            Encrypted:false
                                                            SSDEEP:24576:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcZvCSvP:QDfLWE/b8D/vP
                                                            MD5:2BA8EC6BC5415D932D8C2306FA8F9CF7
                                                            SHA1:6409E0F33958EA38B12DD23430CCA4745BE51127
                                                            SHA-256:9546F04506AD850EA65E7707EA6B5FA2DA579AF43D9C5D98071FADB9C05958AE
                                                            SHA-512:6F2476A7F72CEF8157174F0A64BF44D8C30B70980435810499ECD6AF54AA858DBE56D94A6D17BEC99790865B1769018DEA57CBF2F2519EC31B7C60A2DC465BC4
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_181626.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):795129
                                                            Entropy (8bit):7.943552777920506
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/Quv+F:ZSiGvxfK7ZMWSFpC6p8FE/Q9Ima9SeW
                                                            MD5:ECAEA4C6C9CC78C158033127BE390B5C
                                                            SHA1:41EECC4A1C94F22C32ECFA8036A691D9F076E314
                                                            SHA-256:39AD908A3F20BD925E7EFA84299B39AEAEC13527F09652FA3050A681C55A16E1
                                                            SHA-512:A4D0574B8844D22DD51B668426110409DF6246C330FCBCCEBB331DBE6517BAF52C79774A754B641807C417CDDD9336C02E4DB93E00D0EF7F375AB228AE132A17
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_182626.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):795129
                                                            Entropy (8bit):7.943552777920506
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/Quv+F:ZSiGvxfK7ZMWSFpC6p8FE/Q9Ima9SeW
                                                            MD5:ECAEA4C6C9CC78C158033127BE390B5C
                                                            SHA1:41EECC4A1C94F22C32ECFA8036A691D9F076E314
                                                            SHA-256:39AD908A3F20BD925E7EFA84299B39AEAEC13527F09652FA3050A681C55A16E1
                                                            SHA-512:A4D0574B8844D22DD51B668426110409DF6246C330FCBCCEBB331DBE6517BAF52C79774A754B641807C417CDDD9336C02E4DB93E00D0EF7F375AB228AE132A17
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_183627.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):795129
                                                            Entropy (8bit):7.943552777920506
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/Quv+F:ZSiGvxfK7ZMWSFpC6p8FE/Q9Ima9SeW
                                                            MD5:ECAEA4C6C9CC78C158033127BE390B5C
                                                            SHA1:41EECC4A1C94F22C32ECFA8036A691D9F076E314
                                                            SHA-256:39AD908A3F20BD925E7EFA84299B39AEAEC13527F09652FA3050A681C55A16E1
                                                            SHA-512:A4D0574B8844D22DD51B668426110409DF6246C330FCBCCEBB331DBE6517BAF52C79774A754B641807C417CDDD9336C02E4DB93E00D0EF7F375AB228AE132A17
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_184628.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):795096
                                                            Entropy (8bit):7.943681228415246
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/Quv+h:ZSiGvxfK7ZMWSFpC6p8FE/QogJN
                                                            MD5:D1B697D6D5117278C21A270C3248DAFC
                                                            SHA1:0C635068F7FB5193F023B700F0C2C985B239EEAB
                                                            SHA-256:228504CE2AC4BD91D80675E2816344FFBB6EE3E1617D28E0D70541D8CA58B581
                                                            SHA-512:BDEE909F839572CBDBD82E3B2C1D09CFD84B022659A86E5D6BCFB42FC65E3B55C80835A93D6C103CC4C0B3E539BEC2C674A2408ACBD8F1989FBC98A35FF04261
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_185631.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):795281
                                                            Entropy (8bit):7.943729813452789
                                                            Encrypted:false
                                                            SSDEEP:24576:ZSiGvxfK7ZMWSFpC6p8FE/QdNrsIcsSea:QDfLWE/QDrsIczea
                                                            MD5:6793E87EFA493F5299239C64B60A1E22
                                                            SHA1:4BE29C82FF5CF58B5B11975326792610B3374414
                                                            SHA-256:A3BD151A1CDF1F911B72E3001676DB680773519BFB42C5C8F3D756CECE92FB70
                                                            SHA-512:E8096C3D6981570D97DC14E7C4A839EF5482E9335A5FBE66AD4EAC1957AB6FFDE6B199968449700F6554478EEC07A2231ED8F27C3B7DB212A4E5F54CD5ED877E
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_190632.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):795064
                                                            Entropy (8bit):7.944506064644382
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//fRNy:ZSiGvxfK7ZMWSFpC6p8FE//frF/PA
                                                            MD5:1286B3E1D9857F02198E3A565197A53A
                                                            SHA1:82AB57535D4BC2C70ACD5D519D5DCBB5DF36C0C6
                                                            SHA-256:C20BA1BF0D5E87D0062B1247998E81BAD0E2F5C2397748DE38E522F97EF7022D
                                                            SHA-512:4049C153227D887F9DA6B3F09904AD8A0D88EB31DA2BDCE95D2E1B7CFE22DE507E01935154615B442851ACAF62C6D334D449FF035A647B14A457440F7486F60B
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_191633.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):795064
                                                            Entropy (8bit):7.944506064644382
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//fRNy:ZSiGvxfK7ZMWSFpC6p8FE//frF/PA
                                                            MD5:1286B3E1D9857F02198E3A565197A53A
                                                            SHA1:82AB57535D4BC2C70ACD5D519D5DCBB5DF36C0C6
                                                            SHA-256:C20BA1BF0D5E87D0062B1247998E81BAD0E2F5C2397748DE38E522F97EF7022D
                                                            SHA-512:4049C153227D887F9DA6B3F09904AD8A0D88EB31DA2BDCE95D2E1B7CFE22DE507E01935154615B442851ACAF62C6D334D449FF035A647B14A457440F7486F60B
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_192634.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):795129
                                                            Entropy (8bit):7.943552777920506
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/Quv+F:ZSiGvxfK7ZMWSFpC6p8FE/Q9Ima9SeW
                                                            MD5:ECAEA4C6C9CC78C158033127BE390B5C
                                                            SHA1:41EECC4A1C94F22C32ECFA8036A691D9F076E314
                                                            SHA-256:39AD908A3F20BD925E7EFA84299B39AEAEC13527F09652FA3050A681C55A16E1
                                                            SHA-512:A4D0574B8844D22DD51B668426110409DF6246C330FCBCCEBB331DBE6517BAF52C79774A754B641807C417CDDD9336C02E4DB93E00D0EF7F375AB228AE132A17
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_193634.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):795129
                                                            Entropy (8bit):7.943552777920506
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/Quv+F:ZSiGvxfK7ZMWSFpC6p8FE/Q9Ima9SeW
                                                            MD5:ECAEA4C6C9CC78C158033127BE390B5C
                                                            SHA1:41EECC4A1C94F22C32ECFA8036A691D9F076E314
                                                            SHA-256:39AD908A3F20BD925E7EFA84299B39AEAEC13527F09652FA3050A681C55A16E1
                                                            SHA-512:A4D0574B8844D22DD51B668426110409DF6246C330FCBCCEBB331DBE6517BAF52C79774A754B641807C417CDDD9336C02E4DB93E00D0EF7F375AB228AE132A17
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_194637.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):794782
                                                            Entropy (8bit):7.944634143869951
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//funV:ZSiGvxfK7ZMWSFpC6p8FE//fuKNoA6
                                                            MD5:7E4B1EB58538808E85E8EBAEA2152884
                                                            SHA1:1E394754B9D59AEF73E32D45D5DBCEF83CB8D701
                                                            SHA-256:D1F586998F5564C4C92DAA86F9861E9B26DB4AF1B523A633A53E7357953BE362
                                                            SHA-512:38EAB3AE6A50EC71A6E5FF9F395E9CC7C259A89FD2DEF985CAA6AB0D01385E10993608F41C5F34C6C3004E85CDCF6FF7996A2AB0050834A6030DB52378FA2450
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_195638.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):794782
                                                            Entropy (8bit):7.944634143869951
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//funV:ZSiGvxfK7ZMWSFpC6p8FE//fuKNoA6
                                                            MD5:7E4B1EB58538808E85E8EBAEA2152884
                                                            SHA1:1E394754B9D59AEF73E32D45D5DBCEF83CB8D701
                                                            SHA-256:D1F586998F5564C4C92DAA86F9861E9B26DB4AF1B523A633A53E7357953BE362
                                                            SHA-512:38EAB3AE6A50EC71A6E5FF9F395E9CC7C259A89FD2DEF985CAA6AB0D01385E10993608F41C5F34C6C3004E85CDCF6FF7996A2AB0050834A6030DB52378FA2450
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_200638.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):794837
                                                            Entropy (8bit):7.944700139262412
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//fcBu:ZSiGvxfK7ZMWSFpC6p8FE//fcnbeWW
                                                            MD5:DD498D1C92CDE90EE47FD8F35252E0DC
                                                            SHA1:F4BE2048DF71EDB563275CF13716E66975FFC32C
                                                            SHA-256:F1C1080E4C99742F10A77EDE8FA72A5BA38784A39751AD23D6F6C955B5A5452F
                                                            SHA-512:6CCE7137A166435AC535E8072E349E791C9C675EF0659113E5827E179DE12AE6D7EDDF622827885B2F8601B091B30D4ED87058C13DBCCDDA742B71BDD8D6AC11
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_201639.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):794837
                                                            Entropy (8bit):7.944700139262412
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//fcBu:ZSiGvxfK7ZMWSFpC6p8FE//fcnbeWW
                                                            MD5:DD498D1C92CDE90EE47FD8F35252E0DC
                                                            SHA1:F4BE2048DF71EDB563275CF13716E66975FFC32C
                                                            SHA-256:F1C1080E4C99742F10A77EDE8FA72A5BA38784A39751AD23D6F6C955B5A5452F
                                                            SHA-512:6CCE7137A166435AC535E8072E349E791C9C675EF0659113E5827E179DE12AE6D7EDDF622827885B2F8601B091B30D4ED87058C13DBCCDDA742B71BDD8D6AC11
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_202639.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):794837
                                                            Entropy (8bit):7.944700139262412
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//fcBu:ZSiGvxfK7ZMWSFpC6p8FE//fcnbeWW
                                                            MD5:DD498D1C92CDE90EE47FD8F35252E0DC
                                                            SHA1:F4BE2048DF71EDB563275CF13716E66975FFC32C
                                                            SHA-256:F1C1080E4C99742F10A77EDE8FA72A5BA38784A39751AD23D6F6C955B5A5452F
                                                            SHA-512:6CCE7137A166435AC535E8072E349E791C9C675EF0659113E5827E179DE12AE6D7EDDF622827885B2F8601B091B30D4ED87058C13DBCCDDA742B71BDD8D6AC11
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_203640.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):794837
                                                            Entropy (8bit):7.944700139262412
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//fcBu:ZSiGvxfK7ZMWSFpC6p8FE//fcnbeWW
                                                            MD5:DD498D1C92CDE90EE47FD8F35252E0DC
                                                            SHA1:F4BE2048DF71EDB563275CF13716E66975FFC32C
                                                            SHA-256:F1C1080E4C99742F10A77EDE8FA72A5BA38784A39751AD23D6F6C955B5A5452F
                                                            SHA-512:6CCE7137A166435AC535E8072E349E791C9C675EF0659113E5827E179DE12AE6D7EDDF622827885B2F8601B091B30D4ED87058C13DBCCDDA742B71BDD8D6AC11
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_204640.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):794837
                                                            Entropy (8bit):7.944700139262412
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//fcBu:ZSiGvxfK7ZMWSFpC6p8FE//fcnbeWW
                                                            MD5:DD498D1C92CDE90EE47FD8F35252E0DC
                                                            SHA1:F4BE2048DF71EDB563275CF13716E66975FFC32C
                                                            SHA-256:F1C1080E4C99742F10A77EDE8FA72A5BA38784A39751AD23D6F6C955B5A5452F
                                                            SHA-512:6CCE7137A166435AC535E8072E349E791C9C675EF0659113E5827E179DE12AE6D7EDDF622827885B2F8601B091B30D4ED87058C13DBCCDDA742B71BDD8D6AC11
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_205642.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):795342
                                                            Entropy (8bit):7.943548307920346
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/Quv+R:ZSiGvxfK7ZMWSFpC6p8FE/QTKjyPOC
                                                            MD5:B950EB3A2A225A70D17FE269DE35A5DF
                                                            SHA1:31215713F9CF099011C3AE1F7F94AB6D73BC3BFA
                                                            SHA-256:EB98551D5D0C91DDF9049784C435205AEB5CA5750714E8A32DAC83CFFEC6B6D3
                                                            SHA-512:62820C3B78D163E6D27FA58981229158349143919B2D4DAAA1E98B9E04C690F6CDAFA520FE55CF486B71355D133E3E44F8533314797DF6F1F199F0299EE82F71
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_210644.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):795064
                                                            Entropy (8bit):7.944506064644382
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//fRNy:ZSiGvxfK7ZMWSFpC6p8FE//frF/PA
                                                            MD5:1286B3E1D9857F02198E3A565197A53A
                                                            SHA1:82AB57535D4BC2C70ACD5D519D5DCBB5DF36C0C6
                                                            SHA-256:C20BA1BF0D5E87D0062B1247998E81BAD0E2F5C2397748DE38E522F97EF7022D
                                                            SHA-512:4049C153227D887F9DA6B3F09904AD8A0D88EB31DA2BDCE95D2E1B7CFE22DE507E01935154615B442851ACAF62C6D334D449FF035A647B14A457440F7486F60B
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_211648.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):795064
                                                            Entropy (8bit):7.944506064644382
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//fRNy:ZSiGvxfK7ZMWSFpC6p8FE//frF/PA
                                                            MD5:1286B3E1D9857F02198E3A565197A53A
                                                            SHA1:82AB57535D4BC2C70ACD5D519D5DCBB5DF36C0C6
                                                            SHA-256:C20BA1BF0D5E87D0062B1247998E81BAD0E2F5C2397748DE38E522F97EF7022D
                                                            SHA-512:4049C153227D887F9DA6B3F09904AD8A0D88EB31DA2BDCE95D2E1B7CFE22DE507E01935154615B442851ACAF62C6D334D449FF035A647B14A457440F7486F60B
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_212650.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):786044
                                                            Entropy (8bit):7.944852902378266
                                                            Encrypted:false
                                                            SSDEEP:12288:n0zRFdVidv5vAu1EP2NFK1MFBJcxYinEtLa03cSp0WoYz+hNanc3en:0RFdKv5vFNFK1qeYY4GSdoSqNzi
                                                            MD5:328647C12B0B258F7AF81E371936FF19
                                                            SHA1:DC6A34C459EF718E922D914372AFEBE74B60207A
                                                            SHA-256:75413346AF5A94FA30FB2E52E86003C0D328285C08B5625096BA26CBD09E4B7D
                                                            SHA-512:A50810BE9DCEFB2CD9DCD35E10979A27BFFABDBCA6943BE0576D899105294AA33E5D2058F0A716161FDC40B029DC641A4D57FDF0F34D70DB35D6E2698CE6BD3A
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4Ey......u7.....(..^p7.\1W..f1..cB.0F....#. n.... ..$.J.+..wpG........._=....9s......LwUuuuw.S..=........Q..M..m7....;.7.dm..G..y.2.8.f.-#..j..V5.4.{.n..m.....\..Q1{...._......[.........;....c.[.....[..v.8~..G,..mR....BWy~?..>f.~...}.....Y.M..i...c.K..TF*[........7..v.g.:7\".=.n}MX.:....B.c<....`..B.......~S.{/..^.XN...I|...aQ.X...n..Q0..fCc.G4......fp.m.1.)..6\....V...u.E...Z..v.k..x.+^111..s...R..'........e...>.9H>t..._.n..I........c.T.t.I...nH.s!m.Dm.[V.?.....c.O.9.k.j.<.Q..n..2[...8.B.v...XZ...f..{...4.=9'{.x.SZ.h...@.Y.@...v|..3.c..D...LL.d......$..4.Ge.e..T.|.'L.p..m....cZ.3.Q.M...I.....8Z..H.-.1.i...?...&&vj&...x..:.c./.7.e.o.....Fl.c.TV\..`m-..=t..,..b.....8.cT..h....00................`..@..D.Ohw.H4.uu.)6S........c@.v.`:.p..c..`.......ANjO#..I....-x2..J$.~..-..b........v.V..,...:..+.:].<.2.,_.c..uU..bm....`...t..... X.C..I!x-2...z..V.
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_213652.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):794837
                                                            Entropy (8bit):7.944700139262412
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//fcBu:ZSiGvxfK7ZMWSFpC6p8FE//fcnbeWW
                                                            MD5:DD498D1C92CDE90EE47FD8F35252E0DC
                                                            SHA1:F4BE2048DF71EDB563275CF13716E66975FFC32C
                                                            SHA-256:F1C1080E4C99742F10A77EDE8FA72A5BA38784A39751AD23D6F6C955B5A5452F
                                                            SHA-512:6CCE7137A166435AC535E8072E349E791C9C675EF0659113E5827E179DE12AE6D7EDDF622827885B2F8601B091B30D4ED87058C13DBCCDDA742B71BDD8D6AC11
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_214654.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):794837
                                                            Entropy (8bit):7.944700139262412
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//fcBu:ZSiGvxfK7ZMWSFpC6p8FE//fcnbeWW
                                                            MD5:DD498D1C92CDE90EE47FD8F35252E0DC
                                                            SHA1:F4BE2048DF71EDB563275CF13716E66975FFC32C
                                                            SHA-256:F1C1080E4C99742F10A77EDE8FA72A5BA38784A39751AD23D6F6C955B5A5452F
                                                            SHA-512:6CCE7137A166435AC535E8072E349E791C9C675EF0659113E5827E179DE12AE6D7EDDF622827885B2F8601B091B30D4ED87058C13DBCCDDA742B71BDD8D6AC11
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_215655.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):794837
                                                            Entropy (8bit):7.944700139262412
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE//fcBu:ZSiGvxfK7ZMWSFpC6p8FE//fcnbeWW
                                                            MD5:DD498D1C92CDE90EE47FD8F35252E0DC
                                                            SHA1:F4BE2048DF71EDB563275CF13716E66975FFC32C
                                                            SHA-256:F1C1080E4C99742F10A77EDE8FA72A5BA38784A39751AD23D6F6C955B5A5452F
                                                            SHA-512:6CCE7137A166435AC535E8072E349E791C9C675EF0659113E5827E179DE12AE6D7EDDF622827885B2F8601B091B30D4ED87058C13DBCCDDA742B71BDD8D6AC11
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_220657.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_221658.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_222659.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_223659.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_224700.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_225700.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_230701.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_231702.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_232703.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_233705.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_234706.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220104_235707.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):814951
                                                            Entropy (8bit):7.943680227433188
                                                            Encrypted:false
                                                            SSDEEP:12288:1kdRqp9aXQ3wCaFaCdjVyXFh6wmHSs4Ze0HdJRn87hpoACTn4h:iXqp913wC7gyh69S1bRn87voFTk
                                                            MD5:FBBFD6C60128020EB5A66086B16EB09A
                                                            SHA1:86AAA2344F8D9F2FDE48DEE79AD797298BD3D911
                                                            SHA-256:E9178C68915C2817022D88B7C41AA45856957728D6B1D440ACFB6F889109BA5B
                                                            SHA-512:95020F8362C321DFE780576CE3FB11BBB5121187940978CB14D84FB29E005040E9C12D84B0210FE9AAD468FF41B91883253B12692348C95DA3A3045B921D0067
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...-Eu.....>..... ...UA.A...r..h..+.......8+.q.q..$~..gc..S..&*..Vu..V......>.....>.......j.{{...!fi.C.v<.,.t....l9"....X...u.|T...,......[v.]....v.....}....Q....x...z..._........;..s.}..n.X.y]..8...GYo...........q..c,dy......*.Q..whX..E.Q..U)m.Q..n.w.......;..?.t..f........M.G.7U.9......oz..B.h.j.6;..b.&z./.YO...I..*Q......].......(.`N...]l.`YZ7a.S.iVl....h...2q....7..!`i..#N......TC[OO6.:.....t..ck.3{p...Y.8G..-G....pb..'0..l..}.5...R4.'......0.......5H9p....v.+.........mp.s2Sv..IB..y@...>..}n.Mk.......u...'......8O...o..2.VB.8[...'P^.*;.&..{.[.<.opMv..Z.D.h!....'......@=..O..>.P.\.fa*/.1.....[..4m.Q.B.$.Y..^....8..7..&.h.j......a!.g..Q,.>.....}ZJ..i..kN{.%1.k.u.`..c...,.|...5...=.T....#...6_.Mg5.v&.h.B........`."..m..1<..[..9...P_.(o.....>9...8T.y2F..|k.....z...X...=.."P..0q.........@.../.&...b5. A.*M..).."o.$...?.h....r.#......jG+.
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_000709.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_001710.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_002712.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_003716.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_004717.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_005718.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_010719.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_011721.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_012722.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_013722.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_014723.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_015723.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_020724.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_021724.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_022725.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_023725.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_024726.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_025727.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_030727.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_031728.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_032728.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_033729.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_034729.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):801665
                                                            Entropy (8bit):7.943053037734203
                                                            Encrypted:false
                                                            SSDEEP:24576:0RFdKv5vFNFK1qeYY4GSBfiCloXpRMu5X:4FOdNE8eY9DqClipCu5X
                                                            MD5:859130BB4E8B241BAB2A8D894D083558
                                                            SHA1:9FC669AACE7616EA953E42C31F7B2AEA9FBB4BEA
                                                            SHA-256:D41976C978798B58BB1B4E3C23F7E374005D571751F72EDF21FE83169DA990D1
                                                            SHA-512:C5D77A1460DC9908E1634632F06CB7E0B93D718A18967BCA6AEE329CB63E020324BC8B1C1CF07D1384A15EDA69BF14C1D9825D39E3D28436CFA1111800FB4812
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4Ey......u7.....(..^p7.\1W..f1..cB.0F....#. n.... ..$.J.+..wpG........._=....9s......LwUuuuw.S..=........Q..M..m7....;.7.dm..G..y.2.8.f.-#..j..V5.4.{.n..m.....\..Q1{...._......[.........;....c.[.....[..v.8~..G,..mR....BWy~?..>f.~...}.....Y.M..i...c.K..TF*[........7..v.g.:7\".=.n}MX.:....B.c<....`..B.......~S.{/..^.XN...I|...aQ.X...n..Q0..fCc.G4......fp.m.1.)..6\....V...u.E...Z..v.k..x.+^111..s...R..'........e...>.9H>t..._.n..I........c.T.t.I...nH.s!m.Dm.[V.?.....c.O.9.k.j.<.Q..n..2[...8.B.v...XZ...f..{...4.=9'{.x.SZ.h...@.Y.@...v|..3.c..D...LL.d......$..4.Ge.e..T.|.'L.p..m....cZ.3.Q.M...I.....8Z..H.-.1.i...?...&&vj&...x..:.c./.7.e.o.....Fl.c.TV\..`m-..=t..,..b.....8.cT..h....00................`..@..D.Ohw.H4.uu.)6S........c@.v.`:.p..c..`.......ANjO#..I....-x2..J$.~..-..b........v.V..,...:..+.:].<.2.,_.c..uU..bm....`...t..... X.C..I!x-2...z..V.
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_035730.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..
                                                            C:\Users\user\AppData\Roaming\Screenshots\time_20220105_040730.png
                                                            Process:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):810227
                                                            Entropy (8bit):7.944312483525065
                                                            Encrypted:false
                                                            SSDEEP:12288:ZrtgEzGvXLNfiPB1rtH/M4tx7eYP0MHlc/FPxU/ARwEdSLmOoWrN/C8oWE/tV8Nq:ZSiGvxfK7ZMWSFpC6p8FE/tV8zmBcM
                                                            MD5:776A0435F0E79D7C7318403B9D7AF336
                                                            SHA1:8B2B8962D3963E53B4771C7AF4F26DDBF3518CD3
                                                            SHA-256:907C81063465F5B91D9599AAC6327F85814190EED73F5815B0BDFC2A6D35412A
                                                            SHA-512:A6F76BFDBCFC19F676297E4DAF4900F8211F8EEB07BE33F3D2874CCA975608E35EB3191EBC33D9FCAD822A0FC2BC3FA0C82B8D32CEDD4722079343341E3E16FD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4IU...m....(K7......". .*......0...,.*..7;4....l....8." .,6....4(t......'..oDFde..}u...TU,'....{3.vv.y.n.Z7.9.{..cn.....|...k.@..7k..7.9t.......e...'.`..n.s..bB:.+e..s.........9t...~...}).|..s.Z...Z\3.n..f..s..~.\G.[......L.d.s.....kU...6..o1.w..sMi.2.....!...d[..s..k.7..^....k\..HyRn?',6.g.[)x.......$t,dH.3.G.}..{/L./..S..g..."f}X..W.q..w......P.....3.{....;..,|...=.ox...'.C..h..[u.'.P..I.N..n......].f...1...I.t.vN......M..c.k.....u..'.,.J...3.0.J.......EU.5u...R.=.1.+...U....5<..M=..c.x.`./Cl,...........]..M_...c.O.%..j.<.Q......2..a..m.............u...4.=...L..D8....@...@.?A.@.....\.). ..J.......j.....`.!.......*.._.....2`.L"..c..L<..[...V.\..Gq$..L,-...3....l...&.....g#./d-....cDg.z...._.n..bH?.........Z.p.p..k....4...Sb...Z?.}T.;.....j..g[.m..{..e...a..p....z...?!]..h3*-.9.S..dQ...Ag..iS'.,...@.1n...O..D....A..d.@...`b.JD:.l.[0....k..8.i9..c..

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.983843341962055
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Windows Screen Saver (13104/52) 0.07%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            File name:SW0P9o9ksjpBsnr.exe
                                                            File size:2203648
                                                            MD5:27f2a9688ec34fc8aa3b0fee4757dd71
                                                            SHA1:9464f6bea3222c5598ecd9d29a8bc68c0998f926
                                                            SHA256:5733ad0577f5b8fc7e939b1daff3ff98b339bb47542a138b659e47b9001fbbd2
                                                            SHA512:c53a2a9efa08002acc8f4304bb7eff7b9e4ebd9e9dc0c5d2c73ad6798c59f2b851bce30c72389218c05ca5c8f562df38e1199950115f69e35cb6822462419544
                                                            SSDEEP:49152:Fk027OjSrCkg7gybKAOAM0hfucdaX2MEGfxDN+JAAPP6VvuHR:F/02OMxVOApAcdiEGfBN0Au6h
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..a..............0...!.........N.!.. ....!...@.. ........................"...........@................................

                                                            File Icon

                                                            Icon Hash:00828e8e8686b000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x61b54e
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                            Time Stamp:0x61CBBF48 [Wed Dec 29 01:52:08 2021 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:v4.0.30319
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x21b4fc0x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x21c0000x600.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x21e0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x2195540x219600unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x21c0000x6000x600False0.434895833333data4.21140615582IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x21e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountry
                                                            RT_VERSION0x21c0a00x374data
                                                            RT_MANIFEST0x21c4140x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Version Infos

                                                            DescriptionData
                                                            Translation0x0000 0x04b0
                                                            LegalCopyrightCopyright 2015
                                                            Assembly Version1.0.0.0
                                                            InternalNameSafeSerializationEventAr.exe
                                                            FileVersion1.0.0.0
                                                            CompanyName
                                                            LegalTrademarks
                                                            Comments
                                                            ProductNameSettlersOfCatan
                                                            ProductVersion1.0.0.0
                                                            FileDescriptionSettlersOfCatan
                                                            OriginalFilenameSafeSerializationEventAr.exe

                                                            Network Behavior

                                                            Snort IDS Alerts

                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            01/04/22-15:06:23.823422TCP1201ATTACK-RESPONSES 403 Forbidden8049765104.16.155.36192.168.2.5
                                                            01/04/22-15:06:24.046804TCP1201ATTACK-RESPONSES 403 Forbidden8049765104.16.155.36192.168.2.5

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jan 4, 2022 15:06:04.794853926 CET497561975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:05.002636909 CET197549756185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:05.510833025 CET497561975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:05.716233015 CET197549756185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:06.229660988 CET497561975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:06.438740015 CET197549756185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:08.911798954 CET497571975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:09.116815090 CET197549757185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:09.698676109 CET497571975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:09.903904915 CET197549757185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:10.570221901 CET497571975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:10.779735088 CET197549757185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:16.009948015 CET497591975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:16.215734959 CET197549759185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:16.822668076 CET497591975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:17.029038906 CET197549759185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:17.339328051 CET497609019192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:17.544970036 CET901949760185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:17.590009928 CET497591975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:17.797202110 CET197549759185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:18.088839054 CET497609019192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:18.113356113 CET497611975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:18.297019958 CET901949760185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:18.322815895 CET197549761185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:18.840070009 CET497611975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:18.878904104 CET497609019192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:19.047672033 CET197549761185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:19.084206104 CET901949760185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:19.730811119 CET497611975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:19.937570095 CET197549761185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:21.950500965 CET497631975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:22.169990063 CET197549763185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:22.731043100 CET497631975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:22.811355114 CET497641975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:22.938148022 CET197549763185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:23.016639948 CET197549764185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:23.543674946 CET497631975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:23.544948101 CET497641975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:23.750112057 CET197549763185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:23.751362085 CET197549764185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:23.776499033 CET4976580192.168.2.5104.16.155.36
                                                            Jan 4, 2022 15:06:23.792735100 CET8049765104.16.155.36192.168.2.5
                                                            Jan 4, 2022 15:06:23.792906046 CET4976580192.168.2.5104.16.155.36
                                                            Jan 4, 2022 15:06:23.793555021 CET4976580192.168.2.5104.16.155.36
                                                            Jan 4, 2022 15:06:23.809622049 CET8049765104.16.155.36192.168.2.5
                                                            Jan 4, 2022 15:06:23.823421955 CET8049765104.16.155.36192.168.2.5
                                                            Jan 4, 2022 15:06:24.043625116 CET4976580192.168.2.5104.16.155.36
                                                            Jan 4, 2022 15:06:24.046803951 CET8049765104.16.155.36192.168.2.5
                                                            Jan 4, 2022 15:06:24.046865940 CET4976580192.168.2.5104.16.155.36
                                                            Jan 4, 2022 15:06:24.092339039 CET497669019192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:24.300904036 CET901949766185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:24.340593100 CET497641975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:24.545819998 CET197549764185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:24.903110981 CET497669019192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:25.116525888 CET901949766185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:25.700063944 CET497669019192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:25.777568102 CET497691975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:25.905333996 CET901949766185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:25.982969999 CET197549769185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:26.543853998 CET497691975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:26.750869989 CET197549769185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:27.340799093 CET497691975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:27.546267986 CET197549769185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:29.560872078 CET497721975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:29.561042070 CET497731975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:29.767103910 CET197549772185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:29.767131090 CET197549773185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:30.341115952 CET497721975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:30.341141939 CET497731975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:30.546564102 CET197549773185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:30.546586037 CET197549772185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:30.960683107 CET497759019192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:31.168831110 CET901949775185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:31.232095957 CET497731975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:31.232100964 CET497721975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:31.438746929 CET197549773185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:31.438765049 CET197549772185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:31.700555086 CET497759019192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:31.912044048 CET901949775185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:32.497560024 CET497759019192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:32.703177929 CET901949775185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:34.399386883 CET497771975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:34.604890108 CET197549777185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:35.200901985 CET497771975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:35.406128883 CET197549777185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:35.997806072 CET497771975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:36.203161001 CET197549777185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:36.452394962 CET497821975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:36.669071913 CET197549782185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:37.201013088 CET497821975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:37.413005114 CET197549782185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:37.889887094 CET497849019192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:37.997960091 CET497821975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:38.103564024 CET901949784185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:38.206825972 CET197549782185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:38.217931032 CET497851975192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:38.423767090 CET197549785185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:38.638617039 CET497849019192.168.2.5185.157.161.174
                                                            Jan 4, 2022 15:06:38.848782063 CET901949784185.157.161.174192.168.2.5
                                                            Jan 4, 2022 15:06:38.979795933 CET497851975192.168.2.5185.157.161.174

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jan 4, 2022 15:06:22.666641951 CET6544753192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:06:22.685647011 CET53654478.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:06:23.713320017 CET5244153192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:06:23.731823921 CET53524418.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:06:46.030277967 CET5516153192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:06:46.050786018 CET53551618.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:06:48.689799070 CET5475753192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:06:48.709620953 CET53547578.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:06:50.589838982 CET4999253192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:06:50.610759020 CET53499928.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:06:54.605858088 CET6007553192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:06:54.624644041 CET53600758.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:06:58.519088984 CET5712853192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:06:58.539190054 CET53571288.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:07:02.679861069 CET5479153192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:07:02.697153091 CET53547918.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:07:06.995929003 CET5039453192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:07:07.015086889 CET53503948.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:07:11.955128908 CET5853053192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:07:11.978346109 CET53585308.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:07:17.009006977 CET6373253192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:07:17.029227972 CET53637328.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:07:22.315131903 CET5734453192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:07:22.335664034 CET53573448.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:07:28.313379049 CET5445053192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:07:28.331489086 CET53544508.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:07:34.146763086 CET5926153192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:07:34.165414095 CET53592618.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:07:40.216717005 CET5941353192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:07:40.233660936 CET53594138.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:07:47.117548943 CET6051653192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:07:47.136590958 CET53605168.8.8.8192.168.2.5
                                                            Jan 4, 2022 15:07:50.891854048 CET5164953192.168.2.58.8.8.8
                                                            Jan 4, 2022 15:07:50.912226915 CET53516498.8.8.8192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                            Jan 4, 2022 15:06:22.666641951 CET192.168.2.58.8.8.80x8478Standard query (0)9.96.11.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                            Jan 4, 2022 15:06:23.713320017 CET192.168.2.58.8.8.80x5de0Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:06:46.030277967 CET192.168.2.58.8.8.80x3434Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:06:48.689799070 CET192.168.2.58.8.8.80x12b0Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:06:50.589838982 CET192.168.2.58.8.8.80xbed8Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:06:54.605858088 CET192.168.2.58.8.8.80x7ac7Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:06:58.519088984 CET192.168.2.58.8.8.80xa5a2Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:02.679861069 CET192.168.2.58.8.8.80x5a38Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:06.995929003 CET192.168.2.58.8.8.80x895cStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:11.955128908 CET192.168.2.58.8.8.80x2ad2Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:17.009006977 CET192.168.2.58.8.8.80xc09fStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:22.315131903 CET192.168.2.58.8.8.80x8865Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:28.313379049 CET192.168.2.58.8.8.80xccb0Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:34.146763086 CET192.168.2.58.8.8.80x771cStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:40.216717005 CET192.168.2.58.8.8.80xbd9bStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:47.117548943 CET192.168.2.58.8.8.80x3256Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:50.891854048 CET192.168.2.58.8.8.80x28fdStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                            Jan 4, 2022 15:06:22.685647011 CET8.8.8.8192.168.2.50x8478Name error (3)9.96.11.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                            Jan 4, 2022 15:06:23.731823921 CET8.8.8.8192.168.2.50x5de0No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:06:23.731823921 CET8.8.8.8192.168.2.50x5de0No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:06:46.050786018 CET8.8.8.8192.168.2.50x3434No error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:06:48.709620953 CET8.8.8.8192.168.2.50x12b0No error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:06:50.610759020 CET8.8.8.8192.168.2.50xbed8No error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:06:54.624644041 CET8.8.8.8192.168.2.50x7ac7No error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:06:58.539190054 CET8.8.8.8192.168.2.50xa5a2No error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:02.697153091 CET8.8.8.8192.168.2.50x5a38No error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:07.015086889 CET8.8.8.8192.168.2.50x895cNo error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:11.978346109 CET8.8.8.8192.168.2.50x2ad2No error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:17.029227972 CET8.8.8.8192.168.2.50xc09fNo error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:22.335664034 CET8.8.8.8192.168.2.50x8865No error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:28.331489086 CET8.8.8.8192.168.2.50xccb0No error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:34.165414095 CET8.8.8.8192.168.2.50x771cNo error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:40.233660936 CET8.8.8.8192.168.2.50xbd9bNo error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:47.136590958 CET8.8.8.8192.168.2.50x3256No error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)
                                                            Jan 4, 2022 15:07:50.912226915 CET8.8.8.8192.168.2.50x28fdNo error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)

                                                            HTTP Request Dependency Graph

                                                            • whatismyipaddress.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            0192.168.2.549765104.16.155.3680
                                                            TimestampkBytes transferredDirectionData
                                                            Jan 4, 2022 15:06:23.793555021 CET1145OUTGET / HTTP/1.1
                                                            Host: whatismyipaddress.com
                                                            Connection: Keep-Alive
                                                            Jan 4, 2022 15:06:23.823421955 CET1146INHTTP/1.1 403 Forbidden
                                                            Date: Tue, 04 Jan 2022 14:06:23 GMT
                                                            Content-Type: text/plain; charset=UTF-8
                                                            Content-Length: 16
                                                            Connection: keep-alive
                                                            X-Frame-Options: SAMEORIGIN
                                                            Referrer-Policy: same-origin
                                                            Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                            Set-Cookie: __cf_bm=9.gsBxN_TlFUSbreDLPbWL6FYpa.GN4p00zBzeoSM3A-1641305183-0-AeUdY+n5LN7USDwNfmj5TSRNGaWztIYvAklLwEwNucw9pUZwZ2l2ZbjFQzDfD62xzB8G6jLZy8vOobUN/MZShNg=; path=/; expires=Tue, 04-Jan-22 14:36:23 GMT; domain=.whatismyipaddress.com; HttpOnly
                                                            Server: cloudflare
                                                            CF-RAY: 6c8506f6cf196997-FRA
                                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                            Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                            Data Ascii: error code: 1020
                                                            Jan 4, 2022 15:06:24.046803951 CET1147INHTTP/1.1 403 Forbidden
                                                            Date: Tue, 04 Jan 2022 14:06:23 GMT
                                                            Content-Type: text/plain; charset=UTF-8
                                                            Content-Length: 16
                                                            Connection: keep-alive
                                                            X-Frame-Options: SAMEORIGIN
                                                            Referrer-Policy: same-origin
                                                            Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                            Set-Cookie: __cf_bm=9.gsBxN_TlFUSbreDLPbWL6FYpa.GN4p00zBzeoSM3A-1641305183-0-AeUdY+n5LN7USDwNfmj5TSRNGaWztIYvAklLwEwNucw9pUZwZ2l2ZbjFQzDfD62xzB8G6jLZy8vOobUN/MZShNg=; path=/; expires=Tue, 04-Jan-22 14:36:23 GMT; domain=.whatismyipaddress.com; HttpOnly
                                                            Server: cloudflare
                                                            CF-RAY: 6c8506f6cf196997-FRA
                                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                            Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                            Data Ascii: error code: 1020


                                                            SMTP Packets

                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                            Jan 4, 2022 15:06:46.421114922 CET5874979266.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:06:46.421591997 CET49792587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:06:46.611622095 CET5874979266.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:06:46.611896992 CET49792587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:06:46.810611010 CET5874979266.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:06:49.138483047 CET5874979566.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:06:51.386814117 CET5874979766.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:06:51.387156963 CET49797587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:06:51.575973034 CET5874979766.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:06:55.005717039 CET5874980166.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:06:55.006125927 CET49801587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:06:55.179908991 CET5874980166.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:06:55.180218935 CET49801587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:06:55.359390974 CET5874980166.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:06:58.884766102 CET5874981266.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:06:58.884994984 CET49812587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:06:59.061115026 CET5874981266.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:06:59.061346054 CET49812587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:06:59.247302055 CET5874981266.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:07:03.044284105 CET5874981566.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:07:03.047522068 CET49815587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:07:03.229331970 CET5874981566.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:07:03.231827974 CET49815587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:07:03.412834883 CET5874981566.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:07:07.378546000 CET5874982066.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:07:07.378879070 CET49820587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:07:07.556359053 CET5874982066.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:07:07.556588888 CET49820587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:07:07.727467060 CET5874982066.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:07:12.349395037 CET5874982866.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:07:12.349598885 CET49828587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:07:12.520612955 CET5874982866.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:07:12.520833015 CET49828587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:07:12.686464071 CET5874982866.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:07:17.387933016 CET5874983366.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:07:17.388262033 CET49833587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:07:17.564378023 CET5874983366.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:07:17.564765930 CET49833587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:07:17.746862888 CET5874983366.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:07:22.703813076 CET5874984166.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:07:22.704210997 CET49841587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:07:22.880002022 CET5874984166.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:07:22.880523920 CET49841587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:07:23.047652006 CET5874984166.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:07:28.688891888 CET5874984666.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:07:28.689121962 CET49846587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:07:28.873761892 CET5874984666.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:07:28.874133110 CET49846587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:07:29.063883066 CET5874984666.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:07:34.570219994 CET5874985066.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:07:34.570785999 CET49850587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:07:34.764210939 CET5874985066.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:07:34.764679909 CET49850587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:07:34.955817938 CET5874985066.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:07:40.621457100 CET5874985666.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:07:40.621748924 CET49856587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:07:40.794528961 CET5874985666.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:07:40.795001984 CET49856587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:07:40.968621969 CET5874985666.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:07:47.483863115 CET5874986166.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:07:47.484101057 CET49861587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:07:47.664139032 CET5874986166.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:07:47.665640116 CET49861587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:07:47.845174074 CET5874986166.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:07:48.294898987 CET5874986266.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:07:48.295043945 CET49862587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:07:48.484863997 CET5874986266.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:07:48.485013962 CET49862587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:07:48.672544003 CET5874986266.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:07:50.919059038 CET5874986466.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:07:50.919236898 CET49864587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:07:50.956199884 CET5874986566.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:07:50.956459999 CET49865587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:07:51.100640059 CET5874986466.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:07:51.100797892 CET49864587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:07:51.133240938 CET5874986566.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:07:51.133446932 CET49865587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:07:51.277748108 CET5874986466.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:07:51.308254957 CET5874986566.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:07:51.311764956 CET5874986666.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:07:51.312067032 CET49866587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:07:51.500338078 CET5874986666.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:07:51.500576019 CET49866587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:07:51.691961050 CET5874986666.29.159.53192.168.2.5220 Ready to start TLS
                                                            Jan 4, 2022 15:07:58.125185013 CET5874987166.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                            Jan 4, 2022 15:07:58.125361919 CET49871587192.168.2.566.29.159.53EHLO 745481
                                                            Jan 4, 2022 15:07:58.320297003 CET5874987166.29.159.53192.168.2.5250-mta-10.privateemail.com
                                                            250-PIPELINING
                                                            250-SIZE 81788928
                                                            250-ETRN
                                                            250-AUTH PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-CHUNKING
                                                            250 STARTTLS
                                                            Jan 4, 2022 15:07:58.320461035 CET49871587192.168.2.566.29.159.53STARTTLS
                                                            Jan 4, 2022 15:07:58.519264936 CET5874987166.29.159.53192.168.2.5220 Ready to start TLS

                                                            Code Manipulations

                                                            Statistics

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Start time:15:05:40
                                                            Start date:04/01/2022
                                                            Path:C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe"
                                                            Imagebase:0x800000
                                                            File size:2203648 bytes
                                                            MD5 hash:27F2A9688EC34FC8AA3B0FEE4757DD71
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low

                                                            General

                                                            Start time:15:05:45
                                                            Start date:04/01/2022
                                                            Path:C:\Windows\System32\BackgroundTransferHost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                            Imagebase:0x7ff612ab0000
                                                            File size:36864 bytes
                                                            MD5 hash:02BA81746B929ECC9DB6665589B68335
                                                            Has elevated privileges:true
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate

                                                            General

                                                            Start time:15:05:52
                                                            Start date:04/01/2022
                                                            Path:C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe
                                                            Imagebase:0xf60000
                                                            File size:2203648 bytes
                                                            MD5 hash:27F2A9688EC34FC8AA3B0FEE4757DD71
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:Visual Basic
                                                            Yara matches:
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.307369542.00000000045AC000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.315881747.0000000003ECD000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000003.315881747.0000000003ECD000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.330768411.0000000004525000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, Author: Florian Roth
                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.309595356.0000000003ECE000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000003.309595356.0000000003ECE000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.329717962.0000000003E61000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.313272509.0000000003E61000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.286683979.0000000003E61000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.315166060.0000000003ECD000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, Author: Florian Roth
                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.286824707.0000000003ECC000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.328524290.00000000044B8000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, Author: Florian Roth
                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low

                                                            General

                                                            Start time:15:05:59
                                                            Start date:04/01/2022
                                                            Path:C:\Users\user\AppData\Local\Temp\bin.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\bin.exe" 0
                                                            Imagebase:0x880000
                                                            File size:115712 bytes
                                                            MD5 hash:805FBB84293E86F25B566A5B2C2815D2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000000.291260710.0000000000894000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000000.291260710.0000000000894000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000B.00000000.291654350.00000000009CF000.00000002.00020000.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000B.00000000.291654350.00000000009CF000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000B.00000002.525512056.00000000009CF000.00000002.00020000.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000B.00000002.525512056.00000000009CF000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000000.290415827.0000000000894000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000000.290415827.0000000000894000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000B.00000003.295601289.00000000010E4000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000B.00000003.295601289.00000000010E4000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000B.00000003.295697323.00000000010E4000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000B.00000003.295697323.00000000010E4000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000B.00000000.290450731.00000000009CF000.00000002.00020000.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000B.00000000.290450731.00000000009CF000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000000.290858967.0000000000894000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000000.290858967.0000000000894000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000B.00000000.291282105.00000000009CF000.00000002.00020000.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000B.00000000.291282105.00000000009CF000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000B.00000000.290889845.00000000009CF000.00000002.00020000.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000B.00000000.290889845.00000000009CF000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\bin.exe, Author: Florian Roth
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\bin.exe, Author: Florian Roth
                                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\bin.exe, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: C:\Users\user\AppData\Local\Temp\bin.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\bin.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: C:\Users\user\AppData\Local\Temp\bin.exe, Author: Joe Security
                                                            • Rule: AveMaria_WarZone, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\bin.exe, Author: unknown
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 76%, Metadefender, Browse
                                                            • Detection: 89%, ReversingLabs
                                                            Reputation:low

                                                            General

                                                            Start time:15:06:00
                                                            Start date:04/01/2022
                                                            Path:C:\Users\user\AppData\Local\Temp\warz.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\warz.exe" 0
                                                            Imagebase:0x1020000
                                                            File size:115712 bytes
                                                            MD5 hash:1D90A7DA17807F64F1699E5EA2091A36
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000002.311194083.000000000116F000.00000002.00020000.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000002.311194083.000000000116F000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000003.299504412.0000000000DA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000003.299504412.0000000000DA0000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000000.293488925.0000000001034000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000000.293488925.0000000001034000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.300135911.0000000000D91000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000003.300135911.0000000000D91000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000003.299610781.0000000000DA2000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000003.299610781.0000000000DA2000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000000.294592566.000000000116F000.00000002.00020000.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000000.294592566.000000000116F000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000000.294916604.000000000116F000.00000002.00020000.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000000.294916604.000000000116F000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.300261604.0000000000D8C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000003.300261604.0000000000D8C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000003.299968878.0000000000DA2000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000003.299968878.0000000000DA2000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.299137914.0000000000D91000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000003.299137914.0000000000D91000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000000.293514502.000000000116F000.00000002.00020000.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000000.293514502.000000000116F000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000000.294897016.0000000001034000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000000.294897016.0000000001034000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000000.293955227.0000000001034000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000000.293955227.0000000001034000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000000.294003890.000000000116F000.00000002.00020000.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000000.294003890.000000000116F000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\warz.exe, Author: Florian Roth
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\warz.exe, Author: Florian Roth
                                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\warz.exe, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: C:\Users\user\AppData\Local\Temp\warz.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\warz.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: C:\Users\user\AppData\Local\Temp\warz.exe, Author: Joe Security
                                                            • Rule: AveMaria_WarZone, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\warz.exe, Author: unknown
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 76%, Metadefender, Browse
                                                            • Detection: 89%, ReversingLabs
                                                            Reputation:low

                                                            General

                                                            Start time:15:06:02
                                                            Start date:04/01/2022
                                                            Path:C:\Users\user\AppData\Local\Temp\rem.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\rem.exe" 0
                                                            Imagebase:0x400000
                                                            File size:474112 bytes
                                                            MD5 hash:9E764165FBA9E86937643D84A2F4E063
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000000.296555205.0000000000454000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000000.297395374.0000000000454000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000000.298936574.0000000000454000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000000.298035428.0000000000454000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\rem.exe, Author: Joe Security
                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\rem.exe, Author: unknown
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 50%, Metadefender, Browse
                                                            • Detection: 86%, ReversingLabs
                                                            Reputation:low

                                                            General

                                                            Start time:15:06:02
                                                            Start date:04/01/2022
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:powershell Add-MpPreference -ExclusionPath C:\
                                                            Imagebase:0x2b0000
                                                            File size:430592 bytes
                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Reputation:high

                                                            General

                                                            Start time:15:06:02
                                                            Start date:04/01/2022
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\System32\cmd.exe
                                                            Imagebase:0x150000
                                                            File size:232960 bytes
                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: AveMaria_WarZone, Description: unknown, Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, Author: unknown
                                                            Reputation:high

                                                            General

                                                            Start time:15:06:02
                                                            Start date:04/01/2022
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7ecfc0000
                                                            File size:625664 bytes
                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            General

                                                            Start time:15:06:02
                                                            Start date:04/01/2022
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7ecfc0000
                                                            File size:625664 bytes
                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            General

                                                            Start time:15:06:04
                                                            Start date:04/01/2022
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:powershell Add-MpPreference -ExclusionPath C:\
                                                            Imagebase:0x2b0000
                                                            File size:430592 bytes
                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Reputation:high

                                                            General

                                                            Start time:15:06:04
                                                            Start date:04/01/2022
                                                            Path:C:\Users\user\AppData\Local\Temp\hawkstartup.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\hawkstartup.exe" 0
                                                            Imagebase:0x4d0000
                                                            File size:532992 bytes
                                                            MD5 hash:AEAF1943FB037B6529873D7CC47CE137
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                            • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, Author: Arnim Rupp
                                                            • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, Author: Joe Security
                                                            • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, Author: JPCERT/CC Incident Response Group
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            Reputation:low

                                                            General

                                                            Start time:15:06:05
                                                            Start date:04/01/2022
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7ecfc0000
                                                            File size:625664 bytes
                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            General

                                                            Start time:15:06:05
                                                            Start date:04/01/2022
                                                            Path:C:\ProgramData\images.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\ProgramData\images.exe
                                                            Imagebase:0x330000
                                                            File size:115712 bytes
                                                            MD5 hash:1D90A7DA17807F64F1699E5EA2091A36
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000016.00000002.524271296.000000000047F000.00000002.00020000.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000016.00000002.524271296.000000000047F000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000016.00000003.315134280.00000000014B2000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000016.00000003.315134280.00000000014B2000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000016.00000003.315040551.00000000014B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000016.00000003.315040551.00000000014B0000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000016.00000000.304645862.000000000047F000.00000002.00020000.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000016.00000000.304645862.000000000047F000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.315866343.000000000149C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000016.00000003.315866343.000000000149C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.314784536.00000000014A1000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000016.00000003.314784536.00000000014A1000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000016.00000003.315520254.00000000014B2000.00000004.00000001.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000016.00000003.315520254.00000000014B2000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\ProgramData\images.exe, Author: Florian Roth
                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\ProgramData\images.exe, Author: Florian Roth
                                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\ProgramData\images.exe, Author: Florian Roth
                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: C:\ProgramData\images.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\ProgramData\images.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: C:\ProgramData\images.exe, Author: Joe Security
                                                            • Rule: AveMaria_WarZone, Description: unknown, Source: C:\ProgramData\images.exe, Author: unknown
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 76%, Metadefender, Browse
                                                            • Detection: 89%, ReversingLabs
                                                            Reputation:low

                                                            General

                                                            Start time:15:06:09
                                                            Start date:04/01/2022
                                                            Path:C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe" 0
                                                            Imagebase:0x8c0000
                                                            File size:221184 bytes
                                                            MD5 hash:F41809BC71EEB2C3B1676309139216A8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.312592775.00000000008C2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.312592775.00000000008C2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.313041784.00000000008C2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.313041784.00000000008C2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.523672410.00000000008C2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000002.523672410.00000000008C2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.311207048.00000000008C2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.311207048.00000000008C2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.311917188.00000000008C2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.311917188.00000000008C2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 51%, Metadefender, Browse
                                                            • Detection: 86%, ReversingLabs
                                                            Reputation:low

                                                            General

                                                            Start time:15:06:11
                                                            Start date:04/01/2022
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:powershell Add-MpPreference -ExclusionPath C:\
                                                            Imagebase:0x2b0000
                                                            File size:430592 bytes
                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Reputation:high

                                                            General

                                                            Start time:15:06:11
                                                            Start date:04/01/2022
                                                            Path:C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe" 0
                                                            Imagebase:0xd0000
                                                            File size:220672 bytes
                                                            MD5 hash:421138225D5DEE81805C5E5072898504
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000003.364545271.00000000056D1000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001A.00000003.364545271.00000000056D1000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000000.322486737.00000000000D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001A.00000000.322486737.00000000000D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000000.324705647.00000000000D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001A.00000000.324705647.00000000000D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.523856737.00000000000D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001A.00000002.523856737.00000000000D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000000.317498484.00000000000D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001A.00000000.317498484.00000000000D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000000.317967503.00000000000D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001A.00000000.317967503.00000000000D2000.00000002.00020000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 86%, ReversingLabs

                                                            Disassembly

                                                            Code Analysis

                                                            Reset < >