Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
steg.exe

Overview

General Information

Sample Name:steg.exe
Analysis ID:593806
MD5:30747bb37997b54d37bae65ae590b7e8
SHA1:d702ffaac8bf35f3372ef2c310b21eef8a91f6ea
SHA256:a39f2e3d1a27bd091c689a09499b374e5f6743de23b42bfd9c7a17c1d49dfad7
Tags:NETexehawkeyekeylogger
Infos:

Detection

HawkEye BrowserPasswordDump Tool EmailPasswordDump Tool
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HawkEye Keylogger
Yara detected AntiVM3
Antivirus detection for dropped file
Yara detected EmailPasswordDump Tool by SecurityXploded
Yara detected BrowserPasswordDump Tool by SecurityXploded
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Installs a global keyboard hook
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: CurrentVersion Autorun Keys Modification
May infect USB drives
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Sigma detected: Suspicious Outbound SMTP Connections
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Contains functionality to query network adapater information
Sigma detected: Autorun Keys Modification
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • steg.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\steg.exe" MD5: 30747BB37997B54D37BAE65AE590B7E8)
    • Windows Update.exe (PID: 7000 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 30747BB37997B54D37BAE65AE590B7E8)
      • dw20.exe (PID: 5912 cmdline: dw20.exe -x -s 2708 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • WindowsUpdate.exe (PID: 6424 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 30747BB37997B54D37BAE65AE590B7E8)
    • Windows Update.exe (PID: 5876 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 30747BB37997B54D37BAE65AE590B7E8)
      • dw20.exe (PID: 5528 cmdline: dw20.exe -x -s 2676 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
steg.exeSecurityXploded_Producer_StringDetects hacktools by SecurityXplodedFlorian Roth
  • 0x78b0f:$x1: http://securityxploded.com
  • 0xfee48:$x1: http://securityxploded.com
steg.exeJoeSecurity_EmailPasswordDump_ToolYara detected EmailPasswordDump Tool by SecurityXplodedJoe Security
    steg.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      steg.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        steg.exeJoeSecurity_BrowserPasswordDump_ToolYara detected BrowserPasswordDump Tool by SecurityXplodedJoe Security
          SourceRuleDescriptionAuthorStrings
          C:\Users\user\AppData\Roaming\WindowsUpdate.exeSecurityXploded_Producer_StringDetects hacktools by SecurityXplodedFlorian Roth
          • 0x78b0f:$x1: http://securityxploded.com
          • 0xfee48:$x1: http://securityxploded.com
          C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_EmailPasswordDump_ToolYara detected EmailPasswordDump Tool by SecurityXplodedJoe Security
            C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_BrowserPasswordDump_ToolYara detected BrowserPasswordDump Tool by SecurityXplodedJoe Security
                  Click to see the 5 entries
                  SourceRuleDescriptionAuthorStrings
                  0000000E.00000002.359909884.0000000003801000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                    0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_EmailPasswordDump_ToolYara detected EmailPasswordDump Tool by SecurityXplodedJoe Security
                      0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                        0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                          0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_BrowserPasswordDump_ToolYara detected BrowserPasswordDump Tool by SecurityXplodedJoe Security
                            Click to see the 79 entries
                            SourceRuleDescriptionAuthorStrings
                            4.2.Windows Update.exe.9d97c.1.unpackSecurityXploded_Producer_StringDetects hacktools by SecurityXplodedFlorian Roth
                            • 0x726cc:$x1: http://securityxploded.com
                            4.2.Windows Update.exe.9d97c.1.unpackJoeSecurity_EmailPasswordDump_ToolYara detected EmailPasswordDump Tool by SecurityXplodedJoe Security
                              12.2.WindowsUpdate.exe.2cb377.2.unpackSecurityXploded_Producer_StringDetects hacktools by SecurityXplodedFlorian Roth
                              • 0x6e998:$x1: http://securityxploded.com
                              12.2.WindowsUpdate.exe.2cb377.2.unpackJoeSecurity_BrowserPasswordDump_ToolYara detected BrowserPasswordDump Tool by SecurityXplodedJoe Security
                                4.0.Windows Update.exe.1b377.2.unpackSecurityXploded_Producer_StringDetects hacktools by SecurityXplodedFlorian Roth
                                • 0x6e998:$x1: http://securityxploded.com
                                Click to see the 242 entries

                                There are no malicious signatures, click here to show all signatures.

                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Windows Update.exe, ProcessId: 7000, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update
                                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 108.177.127.109, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Roaming\Windows Update.exe, Initiated: true, ProcessId: 7000, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49771
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Windows Update.exe, ProcessId: 7000, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update
                                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\steg.exe, ProcessId: 6544, TargetFilename: C:\Users\user\AppData\Roaming\Windows Update.exe

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: TR/Golroted.xous
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: TR/Spy.Gen
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeAvira: detection malicious, Label: TR/Golroted.xous
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeAvira: detection malicious, Label: TR/Spy.Gen
                                Source: steg.exeVirustotal: Detection: 71%Perma Link
                                Source: steg.exeReversingLabs: Detection: 88%
                                Source: steg.exeAvira: detected
                                Source: steg.exeAvira: detected
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeReversingLabs: Detection: 88%
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 88%
                                Source: steg.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeJoe Sandbox ML: detected
                                Source: 12.0.WindowsUpdate.exe.2c0000.0.unpackAvira: Label: TR/Golroted.xous
                                Source: 12.0.WindowsUpdate.exe.2c0000.0.unpackAvira: Label: TR/Spy.Gen
                                Source: 12.2.WindowsUpdate.exe.2c0000.0.unpackAvira: Label: TR/Golroted.xous
                                Source: 12.2.WindowsUpdate.exe.2c0000.0.unpackAvira: Label: TR/Spy.Gen
                                Source: 14.2.Windows Update.exe.ac0000.0.unpackAvira: Label: TR/Golroted.xous
                                Source: 14.2.Windows Update.exe.ac0000.0.unpackAvira: Label: TR/Spy.Gen
                                Source: 14.0.Windows Update.exe.ac0000.0.unpackAvira: Label: TR/Golroted.xous
                                Source: 14.0.Windows Update.exe.ac0000.0.unpackAvira: Label: TR/Spy.Gen
                                Source: 4.0.Windows Update.exe.10000.9.unpackAvira: Label: TR/Golroted.xous
                                Source: 4.0.Windows Update.exe.10000.9.unpackAvira: Label: TR/Spy.Gen
                                Source: 0.0.steg.exe.f80000.0.unpackAvira: Label: TR/Golroted.xous
                                Source: 0.0.steg.exe.f80000.0.unpackAvira: Label: TR/Spy.Gen
                                Source: 4.0.Windows Update.exe.10000.6.unpackAvira: Label: TR/Golroted.xous
                                Source: 4.0.Windows Update.exe.10000.6.unpackAvira: Label: TR/Spy.Gen
                                Source: 4.0.Windows Update.exe.10000.0.unpackAvira: Label: TR/Golroted.xous
                                Source: 4.0.Windows Update.exe.10000.0.unpackAvira: Label: TR/Spy.Gen
                                Source: 14.0.Windows Update.exe.ac0000.9.unpackAvira: Label: TR/Golroted.xous
                                Source: 14.0.Windows Update.exe.ac0000.9.unpackAvira: Label: TR/Spy.Gen
                                Source: 14.0.Windows Update.exe.ac0000.3.unpackAvira: Label: TR/Golroted.xous
                                Source: 14.0.Windows Update.exe.ac0000.3.unpackAvira: Label: TR/Spy.Gen
                                Source: 4.0.Windows Update.exe.10000.3.unpackAvira: Label: TR/Golroted.xous
                                Source: 4.0.Windows Update.exe.10000.3.unpackAvira: Label: TR/Spy.Gen
                                Source: 14.0.Windows Update.exe.ac0000.6.unpackAvira: Label: TR/Golroted.xous
                                Source: 14.0.Windows Update.exe.ac0000.6.unpackAvira: Label: TR/Spy.Gen
                                Source: 0.2.steg.exe.f80000.0.unpackAvira: Label: TR/Golroted.xous
                                Source: 0.2.steg.exe.f80000.0.unpackAvira: Label: TR/Spy.Gen
                                Source: 4.2.Windows Update.exe.10000.0.unpackAvira: Label: TR/Golroted.xous
                                Source: 4.2.Windows Update.exe.10000.0.unpackAvira: Label: TR/Spy.Gen
                                Source: unknownHTTPS traffic detected: 104.16.155.36:443 -> 192.168.2.4:49770 version: TLS 1.0
                                Source: unknownHTTPS traffic detected: 104.16.155.36:443 -> 192.168.2.4:49779 version: TLS 1.0
                                Source: steg.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                                Source: C:\Users\user\Desktop\steg.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                                Source: steg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbfX source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb] z source: Windows Update.exe, 0000000E.00000002.360415585.00000000074C0000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.357606780.00000000011EE000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Users\user\AppData\Roaming\Windows Update.PDB source: Windows Update.exe, 0000000E.00000002.360415585.00000000074C0000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb* source: Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbT source: Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: 1ioC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdbndows Update.exe source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbf source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\dll\mscorlib.pdb* source: Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\mscorlib.pdb 1X source: Windows Update.exe, 0000000E.00000002.360415585.00000000074C0000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: rlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\dll\mscorlib.pdbf source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp
                                Source: steg.exeBinary or memory string: autorun.inf
                                Source: steg.exeBinary or memory string: [autorun]
                                Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
                                Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
                                Source: steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autorun.inf
                                Source: steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [autorun]
                                Source: Windows Update.exeBinary or memory string: autorun.inf
                                Source: Windows Update.exeBinary or memory string: [autorun]
                                Source: Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: autorun.inf
                                Source: Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: [autorun]
                                Source: Windows Update.exe, 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                                Source: Windows Update.exe, 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                                Source: Windows Update.exe, 00000004.00000002.302693901.0000000002BB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                                Source: Windows Update.exe, 00000004.00000002.302693901.0000000002BB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                                Source: WindowsUpdate.exeBinary or memory string: [autorun]
                                Source: WindowsUpdate.exeBinary or memory string: autorun.inf
                                Source: WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: autorun.inf
                                Source: WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
                                Source: Windows Update.exeBinary or memory string: [autorun]
                                Source: Windows Update.exeBinary or memory string: autorun.inf
                                Source: Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: autorun.inf
                                Source: Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: [autorun]
                                Source: Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                                Source: Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                                Source: steg.exeBinary or memory string: autorun.inf
                                Source: steg.exeBinary or memory string: [autorun]
                                Source: WindowsUpdate.exe.4.drBinary or memory string: autorun.inf
                                Source: WindowsUpdate.exe.4.drBinary or memory string: [autorun]
                                Source: Windows Update.exe.0.drBinary or memory string: autorun.inf
                                Source: Windows Update.exe.0.drBinary or memory string: [autorun]
                                Source: C:\Users\user\Desktop\steg.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                                Source: C:\Users\user\Desktop\steg.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                                Source: C:\Users\user\Desktop\steg.exeCode function: 4x nop then jmp 03371A7Bh
                                Source: C:\Users\user\Desktop\steg.exeCode function: 4x nop then jmp 03371A7Bh
                                Source: C:\Users\user\Desktop\steg.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then jmp 04BA1A7Bh
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then jmp 04BA1A7Bh
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then jmp 053A1A7Bh
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then jmp 053A1A7Bh
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then mov esp, ebp
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]

                                Networking

                                barindex
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeDNS query: name: whatismyipaddress.com
                                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                                Source: unknownHTTPS traffic detected: 104.16.155.36:443 -> 192.168.2.4:49770 version: TLS 1.0
                                Source: unknownHTTPS traffic detected: 104.16.155.36:443 -> 192.168.2.4:49779 version: TLS 1.0
                                Source: global trafficTCP traffic: 192.168.2.4:49771 -> 108.177.127.109:587
                                Source: global trafficTCP traffic: 192.168.2.4:49771 -> 108.177.127.109:587
                                Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drString found in binary or memory: http://192.99.212.64/WebPanel/log.php?username=
                                Source: Windows Update.exe, 0000000E.00000002.358146560.0000000001249000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                                Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
                                Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
                                Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360008316.000000000382A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0
                                Source: Windows Update.exeString found in binary or memory: http://digg.com
                                Source: Windows Update.exeString found in binary or memory: http://dyn.com/dns/
                                Source: steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drString found in binary or memory: http://dyn.com/dns//
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                                Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr10)
                                Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360008316.000000000382A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1c301
                                Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
                                Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
                                Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360008316.000000000382A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
                                Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
                                Source: Windows Update.exe.0.drString found in binary or memory: http://securityxploded.com/browser-password-dump.php
                                Source: Windows Update.exe.0.drString found in binary or memory: http://securityxploded.com/email-password-dump.php
                                Source: Windows Update.exeString found in binary or memory: http://slashdot.org/bookmark.pl
                                Source: Windows Update.exeString found in binary or memory: http://twitter.com/
                                Source: Windows Update.exe, 00000004.00000002.301961765.000000000276D000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359319845.00000000033DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.com
                                Source: Windows Update.exe, Windows Update.exe, 0000000E.00000002.359319845.00000000033DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.com/
                                Source: steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drString found in binary or memory: http://whatismyipaddress.com/-
                                Source: Windows Update.exe, 0000000E.00000002.359863532.00000000037CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.comx&#q
                                Source: Windows Update.exe, 00000004.00000002.301961765.000000000276D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.comx&#qH
                                Source: Windows Update.exe.0.drString found in binary or memory: http://www.SecurityXploded.com
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                                Source: steg.exe, 00000000.00000002.282794330.0000000001727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                                Source: steg.exe, 00000000.00000002.282794330.0000000001727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comceta
                                Source: steg.exe, 00000000.00000002.282794330.0000000001727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                                Source: steg.exe, 00000000.00000003.243241778.0000000005B88000.00000004.00000800.00020000.00000000.sdmp, steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                                Source: Windows Update.exeString found in binary or memory: http://www.linkedin.com/
                                Source: Windows Update.exeString found in binary or memory: http://www.myspace.com
                                Source: Windows Update.exeString found in binary or memory: http://www.reddit.com/login
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                                Source: steg.exe, 00000000.00000003.238498642.0000000005B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.coman
                                Source: steg.exe, 00000000.00000003.238498642.0000000005B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.come
                                Source: steg.exe, 00000000.00000003.238498642.0000000005B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comr
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                                Source: Windows Update.exeString found in binary or memory: http://www.stumbleupon.com/sign_up.php
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                                Source: steg.exe, 00000000.00000003.243445751.0000000005B88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com-
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                                Source: steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                                Source: steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drString found in binary or memory: https://000001BB00000050.oeaccount
                                Source: Windows Update.exeString found in binary or memory: https://accounts.google.com/servicelogin
                                Source: Windows Update.exeString found in binary or memory: https://login.yahoo.com/config/login
                                Source: Windows Update.exeString found in binary or memory: https://my.screenname.aol.com/_cqr/login/login.psp
                                Source: Windows Update.exeString found in binary or memory: https://myspace.com
                                Source: Windows Update.exeString found in binary or memory: https://pinterest.com/login/
                                Source: Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pki.goog/repository/0
                                Source: Windows Update.exeString found in binary or memory: https://signin.ebay.com/ws/ebayisapi.dll
                                Source: Windows Update.exe, 0000000E.00000002.360008316.000000000382A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/mail/?p=BadCredentials
                                Source: Windows Update.exe, 0000000E.00000002.360008316.000000000382A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/mail/?p=WantAuthError
                                Source: Windows Update.exeString found in binary or memory: https://twitter.com/
                                Source: Windows Update.exe, 00000004.00000002.302601416.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359863532.00000000037CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddress.com
                                Source: Windows Update.exe, 0000000E.00000002.359863532.00000000037CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddress.com/
                                Source: Windows Update.exe, 00000004.00000002.302601416.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359863532.00000000037CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddress.comx&#q
                                Source: Windows Update.exeString found in binary or memory: https://www.amazon.com/ap/signin/190-9059340-4656153
                                Source: Windows Update.exeString found in binary or memory: https://www.amazon.com/gp/css/homepage.html
                                Source: Windows Update.exe, 00000004.00000002.302601416.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359863532.00000000037CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                                Source: Windows Update.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                                Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drString found in binary or memory: https://www.noip.com/
                                Source: unknownDNS traffic detected: queries for: 140.244.14.0.in-addr.arpa
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_012BA09A recv,
                                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 22 Mar 2022 02:35:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Chl-Bypass: 1Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTX-Frame-Options: SAMEORIGINExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Set-Cookie: __cf_bm=3T2zMhWJGUJiFvFygp4Ze35_fGFAV8AUcX3bmxdV52o-1647916550-0-AY8ARkBKAY0npUTkZLgdxWJqOZhqmSjbY7aXc+zs0c6A/7TMhypnyvrbA2CHANpeBLYSTVgqKfJygLjIYrQUBFI=; path=/; expires=Tue, 22-Mar-22 03:05:50 GMT; domain=.whatismyipaddress.com; HttpOnly; SecureServer: cloudflareCF-RAY: 6efb89487ef75c7a-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 22 Mar 2022 02:36:16 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Chl-Bypass: 1Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTX-Frame-Options: SAMEORIGINExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Set-Cookie: __cf_bm=hUhD2UdX9KkVERfiV5SDQBrwmWvqrKnJHnrZS9gL4WQ-1647916576-0-Af8AuUM/CWRh6nfYYBFJyHJJ4OBNTTTEmP62nrYSdhQuKojNAEw1zeh8LNsfpa7olf2S2L1utyAPIOltIVpa2lM=; path=/; expires=Tue, 22-Mar-22 03:06:16 GMT; domain=.whatismyipaddress.com; HttpOnly; SecureServer: cloudflareCF-RAY: 6efb89ea99529064-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                Source: Windows Update.exe.0.drString found in binary or memory: SetEnvironmentVariableAOLEAUT32.dllhttp://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.facebook.com (Facebook)
                                Source: steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drString found in binary or memory: SetEnvironmentVariableAOLEAUT32.dllhttp://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.linkedin.com (Linkedin)
                                Source: Windows Update.exe.0.drString found in binary or memory: SetEnvironmentVariableAOLEAUT32.dllhttp://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.myspace.com (Myspace)
                                Source: Windows Update.exe.0.drString found in binary or memory: SetEnvironmentVariableAOLEAUT32.dllhttp://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.twitter.com (Twitter)
                                Source: steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drString found in binary or memory: SetEnvironmentVariableAOLEAUT32.dllhttp://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.yahoo.com (Yahoo)
                                Source: Windows Update.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                                Source: Windows Update.exeString found in binary or memory: http://www.linkedin.com/ equals www.linkedin.com (Linkedin)
                                Source: Windows Update.exeString found in binary or memory: http://www.myspace.com equals www.myspace.com (Myspace)
                                Source: Windows Update.exeString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)

                                Key, Mouse, Clipboard, Microphone and Screen Capturing

                                barindex
                                Source: Yara matchFile source: steg.exe, type: SAMPLE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.9.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.8.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.11.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.f80000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.11.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.7.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.7.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.10.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.acb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.8.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.9.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.b4d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.10.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.f80000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000E.00000002.359909884.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000003.324470514.0000000000915000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.302645603.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: steg.exe PID: 6544, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 7000, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6424, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5876, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe
                                Source: steg.exe, Form1.cs.Net Code: HookKeyboard
                                Source: Windows Update.exe.0.dr, Form1.cs.Net Code: HookKeyboard
                                Source: 0.0.steg.exe.f80000.0.unpack, Form1.cs.Net Code: HookKeyboard
                                Source: 0.2.steg.exe.f80000.0.unpack, Form1.cs.Net Code: HookKeyboard
                                Source: WindowsUpdate.exe.4.dr, Form1.cs.Net Code: HookKeyboard
                                Source: 4.0.Windows Update.exe.10000.9.unpack, Form1.cs.Net Code: HookKeyboard
                                Source: 4.0.Windows Update.exe.10000.6.unpack, Form1.cs.Net Code: HookKeyboard
                                Source: 4.0.Windows Update.exe.10000.0.unpack, Form1.cs.Net Code: HookKeyboard
                                Source: 4.0.Windows Update.exe.10000.3.unpack, Form1.cs.Net Code: HookKeyboard
                                Source: 4.2.Windows Update.exe.10000.0.unpack, Form1.cs.Net Code: HookKeyboard
                                Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                                Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                                Source: 14.2.Windows Update.exe.ac0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                                Source: 14.0.Windows Update.exe.ac0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                                Source: 14.0.Windows Update.exe.ac0000.9.unpack, Form1.cs.Net Code: HookKeyboard
                                Source: 14.0.Windows Update.exe.ac0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                                Source: 14.0.Windows Update.exe.ac0000.6.unpack, Form1.cs.Net Code: HookKeyboard
                                Source: steg.exe, 00000000.00000002.282881047.000000000177A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindow created: window name: CLIPBRDWNDCLASS
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindow created: window name: CLIPBRDWNDCLASS
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2708
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FDE077
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FF8070
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00F9B2E7
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00F9C2C7
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00F90287
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00F90397
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FAC387
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00F9E337
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FC64F7
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00F9F4F7
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FF7590
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FBA6E7
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FAB6E7
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FC46C7
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FC7627
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FF87EC
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FA2707
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FE4987
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_010798D1
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FCFAC7
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FE3A57
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00F8FA17
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00F8FB27
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FF7B00
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FA7C87
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FD2C77
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FCDC27
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FDFD97
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FF4D00
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00F93EC7
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00F8FFF7
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FE7FC7
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FF9F2B
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FB4F07
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_03371E53
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_0006E077
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_00088070
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_000FD0AC
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_000DB0DC
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_00020287
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_000C02CC
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_0002C2C7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_0002B2E7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_0002E337
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_0003C387
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_00020397
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_000564F7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_0002F4F7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_000F950C
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_00087590
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_000F85DC
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_00057627
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_000546C7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_0004A6E7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_0003B6E7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_00032707
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_000887EC
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_001098D1
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_00074987
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_0001FA17
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_00073A57
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_0005FAC7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_00087B00
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_0001FB27
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_000F2BFC
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_0005DC27
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_00062C77
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_00037C87
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_00084D00
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_00338070
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_0031E077
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_003AD0AC
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002D0287
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002DB2E7
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002DC2C7
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002DE337
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002EC387
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002D0397
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_003064F7
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002DF4F7
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_00337590
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_00307627
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002FA6E7
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002EB6E7
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_003046C7
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002E2707
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_003387EC
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_003B98D1
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_00324987
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002CFA17
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_00323A57
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_0030FAC7
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002CFB27
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_00337B00
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_0030DC27
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_00312C77
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002E7C87
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_00334D00
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_0031FD97
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002D3EC7
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_00339F2B
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002F4F07
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_002CFFF7
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_00327FC7
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_04BA1E53
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B38070
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B1E077
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00AD0287
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00ADB2E7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00ADC2C7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00AEC387
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00AD0397
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00ADE337
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B064F7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00ADF4F7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B37590
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00AFA6E7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00AEB6E7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B07627
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B046C7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B07627
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B387EC
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00AE2707
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00BB98D1
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B24987
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B0FAC7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00ACFA17
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B23A57
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00ACFB27
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B37B00
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00AE7C87
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B0DC27
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B12C77
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B1FD97
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B34D00
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00AD3EC7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00ACFFF7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B27FC7
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B39F2B
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00AF4F07
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_053A5C18
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_053A5C13
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_053A1C60
                                Source: steg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                                Source: steg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                                Source: steg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                                Source: Windows Update.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                                Source: Windows Update.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                                Source: Windows Update.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                                Source: WindowsUpdate.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                                Source: WindowsUpdate.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                                Source: WindowsUpdate.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: security.dll
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: security.dll
                                Source: steg.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                                Source: steg.exe, type: SAMPLEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.2.Windows Update.exe.9d97c.1.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 12.2.WindowsUpdate.exe.2cb377.2.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.1b377.2.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 12.0.WindowsUpdate.exe.2cb377.2.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.2.Windows Update.exe.1b377.2.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.acb377.8.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.2.Windows Update.exe.acb377.2.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.2.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.10000.9.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.b4d97c.4.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.acb377.1.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.1b377.4.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.9d97c.8.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 0.0.steg.exe.f8b377.2.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 0.0.steg.exe.100d97c.1.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.10000.6.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.1b377.11.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.b4d97c.11.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.b4d97c.2.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 12.0.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.2.Windows Update.exe.b4d97c.1.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 0.0.steg.exe.f80000.0.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.b4d97c.11.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.b4d97c.7.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 0.0.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.b4d97c.2.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.1.Windows Update.exe.1b377.0.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.1b377.7.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.b4d97c.7.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.9d97c.10.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.1b377.7.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.2.Windows Update.exe.acb377.2.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.acb377.10.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.9d97c.1.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.acb377.8.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.2.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 0.2.steg.exe.100d97c.1.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.2.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.acb377.1.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.1b377.4.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 0.2.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.1.Windows Update.exe.1b377.0.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 12.2.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.ac0000.9.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.b4d97c.4.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 12.2.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.1.Windows Update.exe.9d97c.1.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 12.0.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.1.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 0.2.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.2.Windows Update.exe.b4d97c.1.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 12.0.WindowsUpdate.exe.34d97c.1.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 0.2.steg.exe.f8b377.2.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.1b377.11.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.ac0000.3.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.9d97c.5.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.9d97c.5.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 0.0.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.9d97c.10.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.acb377.5.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.acb377.5.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.10000.3.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.10000.0.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 12.2.WindowsUpdate.exe.34d97c.1.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.0.Windows Update.exe.9d97c.8.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.ac0000.6.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 14.0.Windows Update.exe.acb377.10.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 0.2.steg.exe.f80000.0.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: 4.2.Windows Update.exe.10000.0.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: String function: 00B2EC57 appears 43 times
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: String function: 0007EC57 appears 38 times
                                Source: C:\Users\user\Desktop\steg.exeCode function: String function: 00FEEC57 appears 43 times
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 0032EC57 appears 43 times
                                Source: steg.exeBinary or memory string: OriginalFilename vs steg.exe
                                Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe, vs steg.exe
                                Source: steg.exe, 00000000.00000002.282881047.000000000177A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs steg.exe
                                Source: steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe, vs steg.exe
                                Source: steg.exeBinary or memory string: OriginalFilenameStub.exe, vs steg.exe
                                Source: steg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                Source: C:\Users\user\Desktop\steg.exeFile created: C:\Users\user\AppData\Roaming\Windows Update.exeJump to behavior
                                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/15@9/3
                                Source: C:\Users\user\Desktop\steg.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: 4.0.Windows Update.exe.10000.6.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: 14.0.Windows Update.exe.ac0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: 14.2.Windows Update.exe.ac0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: 14.0.Windows Update.exe.ac0000.6.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: steg.exe, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: 4.0.Windows Update.exe.10000.9.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: 4.2.Windows Update.exe.10000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: Windows Update.exe.0.dr, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: 14.0.Windows Update.exe.ac0000.9.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: WindowsUpdate.exe.4.dr, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: 0.2.steg.exe.f80000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: 0.0.steg.exe.f80000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: 4.0.Windows Update.exe.10000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: 14.0.Windows Update.exe.ac0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: 4.0.Windows Update.exe.10000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                                Source: steg.exeVirustotal: Detection: 71%
                                Source: steg.exeReversingLabs: Detection: 88%
                                Source: C:\Users\user\Desktop\steg.exeFile read: C:\Users\user\Desktop\steg.exeJump to behavior
                                Source: C:\Users\user\Desktop\steg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                                Source: unknownProcess created: C:\Users\user\Desktop\steg.exe "C:\Users\user\Desktop\steg.exe"
                                Source: C:\Users\user\Desktop\steg.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2708
                                Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2676
                                Source: C:\Users\user\Desktop\steg.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2708
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2676
                                Source: C:\Users\user\Desktop\steg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_05523C92 AdjustTokenPrivileges,
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_05523C5B AdjustTokenPrivileges,
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Users\user\Desktop\steg.exeFile created: C:\Users\user\AppData\Local\Temp\SysInfo.txtJump to behavior
                                Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                                Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                                Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Windows Update.exe, 00000004.00000001.280458737.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Windows Update.exe, 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                                Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drBinary or memory string: select * from logins where blacklisted_by_user=0;
                                Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Windows Update.exe, 00000004.00000001.280458737.0000000000012000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drBinary or memory string: select * from moz_logins;/signons.txt/signons2.txt/signons3.txt\signons.sqlite#2c#2d---nss3.dllNSS_InitNSS_ShutdownPK11_GetInternalKeySlotPK11_FreeSlotPK11_AuthenticatePK11SDR_DecryptPK11_CheckUserPassword0
                                Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                                Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Windows Update.exe, 0000000E.00000003.351328752.0000000007544000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drBinary or memory string: select * from moz_logins;
                                Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                                Source: Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                                Source: C:\Users\user\Desktop\steg.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                                Source: steg.exe, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: Windows Update.exe.0.dr, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: 0.0.steg.exe.f80000.0.unpack, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: 0.2.steg.exe.f80000.0.unpack, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: WindowsUpdate.exe.4.dr, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: 4.0.Windows Update.exe.10000.9.unpack, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: 4.0.Windows Update.exe.10000.6.unpack, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: 4.0.Windows Update.exe.10000.0.unpack, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: 4.0.Windows Update.exe.10000.3.unpack, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: 4.2.Windows Update.exe.10000.0.unpack, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: 14.2.Windows Update.exe.ac0000.0.unpack, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: 14.0.Windows Update.exe.ac0000.0.unpack, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: 14.0.Windows Update.exe.ac0000.9.unpack, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: 14.0.Windows Update.exe.ac0000.3.unpack, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: 14.0.Windows Update.exe.ac0000.6.unpack, Form1.csBase64 encoded string: 'HLjw+uQlfj/cTMG+SN5gI9FjTJdblwS/zT57JSzaDjQXfyYEIC7qOaz7nLEILo0V'
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                                Source: steg.exe, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                                Source: steg.exe, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                                Source: steg.exe, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                                Source: steg.exe, Form1.csCryptographic APIs: 'CreateDecryptor'
                                Source: Windows Update.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                                Source: Windows Update.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                                Source: Windows Update.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                                Source: Windows Update.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor'
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                                Source: steg.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                                Source: C:\Users\user\Desktop\steg.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                                Source: steg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                                Source: steg.exeStatic file information: File size 1167872 > 1048576
                                Source: steg.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x119c00
                                Source: steg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbfX source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb] z source: Windows Update.exe, 0000000E.00000002.360415585.00000000074C0000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.357606780.00000000011EE000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Users\user\AppData\Roaming\Windows Update.PDB source: Windows Update.exe, 0000000E.00000002.360415585.00000000074C0000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb* source: Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbT source: Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: 1ioC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdbndows Update.exe source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbf source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\dll\mscorlib.pdb* source: Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\mscorlib.pdb 1X source: Windows Update.exe, 0000000E.00000002.360415585.00000000074C0000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: rlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360778956.0000000007D9A000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 0000000E.00000002.358374022.00000000012A7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\dll\mscorlib.pdbf source: Windows Update.exe, 00000004.00000002.305764946.00000000071AA000.00000004.00000010.00020000.00000000.sdmp

                                Data Obfuscation

                                barindex
                                Source: steg.exe, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: Windows Update.exe.0.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: 0.0.steg.exe.f80000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: 0.2.steg.exe.f80000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: WindowsUpdate.exe.4.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: 4.0.Windows Update.exe.10000.9.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: 4.0.Windows Update.exe.10000.6.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: 4.0.Windows Update.exe.10000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: 4.0.Windows Update.exe.10000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: 4.2.Windows Update.exe.10000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: 14.2.Windows Update.exe.ac0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: 14.0.Windows Update.exe.ac0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: 14.0.Windows Update.exe.ac0000.9.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: 14.0.Windows Update.exe.ac0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: 14.0.Windows Update.exe.ac0000.6.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_01072941 push ecx; ret
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FEEC9C push ecx; ret
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_00102941 push ecx; ret
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4_2_0007EC9C push ecx; ret
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_003B2941 push ecx; ret
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_0032EC9C push ecx; ret
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 12_2_0254049C push ebx; retf
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00BB2941 push ecx; ret
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_00B2EC9C push ecx; ret
                                Source: C:\Users\user\Desktop\steg.exeFile created: C:\Users\user\AppData\Roaming\Windows Update.exeJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior

                                Hooking and other Techniques for Hiding and Protection

                                barindex
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\Desktop\steg.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5876, type: MEMORYSTR
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeFunction Chain: threadCreated,threadResumed,threadDelayed,threadDelayed,threadInformationSet,threadCreated,threadInformationSet,threadResumed,memAlloc,memAlloc,threadDelayed,processSet,processSet,threadDelayed,windowEnumerated,messagePosted,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,networkSend,deviceIO
                                Source: C:\Users\user\Desktop\steg.exe TID: 6616Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 3600Thread sleep time: -120000s >= -30000s
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5908Thread sleep time: -1844674407370954s >= -30000s
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5908Thread sleep time: -300000s >= -30000s
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5908Thread sleep time: -100000s >= -30000s
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5164Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 1728Thread sleep time: -120000s >= -30000s
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6884Thread sleep time: -1844674407370954s >= -30000s
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6884Thread sleep time: -100000s >= -30000s
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6884Thread sleep time: -100000s >= -30000s
                                Source: C:\Users\user\Desktop\steg.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: GetAdaptersInfo,
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: GetAdaptersInfo,
                                Source: C:\Users\user\Desktop\steg.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 120000
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 100000
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 100000
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 120000
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 100000
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 100000
                                Source: Windows Update.exe, 0000000E.00000002.357606780.00000000011EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/o
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess token adjusted: Debug
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess token adjusted: Debug
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 14_2_053A6358 LdrInitializeThunk,
                                Source: C:\Users\user\Desktop\steg.exeMemory allocated: page read and write | page guard

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                Source: steg.exe, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: steg.exe, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: steg.exe, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: Windows Update.exe.0.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: Windows Update.exe.0.dr, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: Windows Update.exe.0.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: 0.0.steg.exe.f80000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: 0.0.steg.exe.f80000.0.unpack, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: 0.0.steg.exe.f80000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: 0.2.steg.exe.f80000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: 0.2.steg.exe.f80000.0.unpack, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: 0.2.steg.exe.f80000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: WindowsUpdate.exe.4.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: WindowsUpdate.exe.4.dr, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: WindowsUpdate.exe.4.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: 4.0.Windows Update.exe.10000.9.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: 4.0.Windows Update.exe.10000.9.unpack, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: 4.0.Windows Update.exe.10000.9.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: 4.0.Windows Update.exe.10000.6.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: 4.0.Windows Update.exe.10000.6.unpack, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: 4.0.Windows Update.exe.10000.6.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: 4.0.Windows Update.exe.10000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: 4.0.Windows Update.exe.10000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: 4.0.Windows Update.exe.10000.0.unpack, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: 4.0.Windows Update.exe.10000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: 4.0.Windows Update.exe.10000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: 4.0.Windows Update.exe.10000.3.unpack, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: 4.2.Windows Update.exe.10000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: 4.2.Windows Update.exe.10000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: 4.2.Windows Update.exe.10000.0.unpack, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: 14.2.Windows Update.exe.ac0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: 14.2.Windows Update.exe.ac0000.0.unpack, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: 14.2.Windows Update.exe.ac0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: 14.0.Windows Update.exe.ac0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: 14.0.Windows Update.exe.ac0000.0.unpack, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: 14.0.Windows Update.exe.ac0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: 14.0.Windows Update.exe.ac0000.9.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: 14.0.Windows Update.exe.ac0000.9.unpack, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: 14.0.Windows Update.exe.ac0000.9.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: 14.0.Windows Update.exe.ac0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: 14.0.Windows Update.exe.ac0000.3.unpack, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: 14.0.Windows Update.exe.ac0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: 14.0.Windows Update.exe.ac0000.6.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                                Source: 14.0.Windows Update.exe.ac0000.6.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                                Source: 14.0.Windows Update.exe.ac0000.6.unpack, RunPEx.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                                Source: C:\Users\user\Desktop\steg.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2708
                                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2676
                                Source: Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [Program Manager - X1
                                Source: Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                                Source: Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerP
                                Source: Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [Program Manager - 3/22/2022 4:04:32 AM]
                                Source: Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [Program Manager - 3/22/2022 4:04:32 AM
                                Source: Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [Program Manager
                                Source: Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qedProgram Manager
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                                Source: C:\Users\user\Desktop\steg.exeCode function: 0_2_00FEB5AE cpuid
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                                Source: Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                                Stealing of Sensitive Information

                                barindex
                                Source: Yara matchFile source: steg.exe, type: SAMPLE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.9.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.8.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.11.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.f80000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.11.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.7.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.7.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.10.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.acb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.8.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.9.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.b4d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.10.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.f80000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000E.00000002.359909884.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000003.324470514.0000000000915000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.302645603.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: steg.exe PID: 6544, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 7000, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6424, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5876, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                                Source: Yara matchFile source: steg.exe, type: SAMPLE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.9d97c.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.9.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.8.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.100d97c.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.11.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.11.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.b4d97c.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.f80000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.11.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.7.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.7.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.7.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.10.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.acb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.8.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.100d97c.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.1.Windows Update.exe.1b377.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.9.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.1.Windows Update.exe.9d97c.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.1.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.b4d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.34d97c.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.10.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.34d97c.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.8.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.10.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.f80000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000003.324470514.0000000000915000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000001.280458737.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000003.351328752.0000000007544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: steg.exe PID: 6544, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 7000, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6424, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5876, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                                Source: Yara matchFile source: steg.exe, type: SAMPLE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.2cb377.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.2cb377.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.1b377.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.8.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.acb377.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.9.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.f8b377.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.11.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.f80000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.1.Windows Update.exe.1b377.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.7.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.7.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.acb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.10.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.8.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.1.Windows Update.exe.1b377.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.9.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.f8b377.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.11.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.10.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.f80000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000001.280458737.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: steg.exe PID: 6544, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 7000, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6424, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5876, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                                Source: Yara matchFile source: steg.exe, type: SAMPLE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.9.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.11.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.f80000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.7.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.acb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.8.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.9.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.10.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.f80000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: steg.exe PID: 6544, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 7000, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6424, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5876, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED

                                Remote Access Functionality

                                barindex
                                Source: Yara matchFile source: steg.exe, type: SAMPLE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.9.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.8.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.11.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.f80000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.11.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.7.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.7.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.10.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.acb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.8.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.1b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.ac0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.1b377.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.2c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.f8b377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.9.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.b4d97c.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.WindowsUpdate.exe.2cb377.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.WindowsUpdate.exe.34d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.Windows Update.exe.b4d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.9d97c.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.0.steg.exe.100d97c.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.ac0000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.Windows Update.exe.acb377.10.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.steg.exe.f80000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.Windows Update.exe.10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000E.00000002.359909884.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000003.324470514.0000000000915000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.302645603.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: steg.exe PID: 6544, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 7000, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6424, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 5876, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                                Source: steg.exeString found in binary or memory: HawkEye_Keylogger_Recoveries_
                                Source: steg.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                                Source: steg.exeString found in binary or memory: HawkEyeKeylogger
                                Source: steg.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                                Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                                Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                                Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
                                Source: steg.exe, 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                                Source: steg.exe, 00000000.00000002.283184355.00000000036D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HawkEyeKeylogger
                                Source: steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                                Source: steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                                Source: steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
                                Source: steg.exe, 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                                Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Recoveries_
                                Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                                Source: Windows Update.exeString found in binary or memory: HawkEyeKeylogger
                                Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                                Source: Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                                Source: Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                                Source: Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
                                Source: Windows Update.exe, 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                                Source: Windows Update.exe, 00000004.00000002.301961765.000000000276D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HawkEyeKeylogger|9
                                Source: Windows Update.exe, 00000004.00000002.301961765.000000000276D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HawkEyeKeylogger
                                Source: Windows Update.exe, 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                                Source: Windows Update.exe, 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                                Source: Windows Update.exe, 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
                                Source: Windows Update.exe, 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                                Source: Windows Update.exe, 00000004.00000002.302645603.0000000002B8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                                Source: Windows Update.exe, 00000004.00000002.301900537.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HawkEyeKeylogger
                                Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Recoveries_
                                Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                                Source: WindowsUpdate.exeString found in binary or memory: HawkEyeKeylogger
                                Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                                Source: WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                                Source: WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                                Source: WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
                                Source: WindowsUpdate.exe, 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                                Source: WindowsUpdate.exe, 0000000C.00000002.333848702.0000000002991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HawkEyeKeylogger
                                Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Recoveries_
                                Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                                Source: Windows Update.exeString found in binary or memory: HawkEyeKeylogger
                                Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                                Source: Windows Update.exe, 0000000E.00000002.359319845.00000000033DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HawkEyeKeylogger|9
                                Source: Windows Update.exe, 0000000E.00000002.359319845.00000000033DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HawkEyeKeylogger
                                Source: Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                                Source: Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                                Source: Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
                                Source: Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                                Source: Windows Update.exe, 0000000E.00000002.359909884.0000000003801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                                Source: Windows Update.exe, 0000000E.00000002.359194697.0000000003381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HawkEyeKeylogger
                                Source: steg.exeString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                                Source: steg.exeString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                                Source: steg.exeString found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
                                Source: steg.exeString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                                Source: WindowsUpdate.exe.4.drString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                                Source: WindowsUpdate.exe.4.drString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                                Source: WindowsUpdate.exe.4.drString found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
                                Source: WindowsUpdate.exe.4.drString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                                Source: Windows Update.exe.0.drString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                                Source: Windows Update.exe.0.drString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                                Source: Windows Update.exe.0.drString found in binary or memory: ;HawkEye_Keylogger_Recoveries_CHawkEye Keylogger | Recoveries |
                                Source: Windows Update.exe.0.drString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                                1
                                Replication Through Removable Media
                                21
                                Windows Management Instrumentation
                                1
                                DLL Side-Loading
                                1
                                DLL Side-Loading
                                11
                                Disable or Modify Tools
                                211
                                Input Capture
                                1
                                Peripheral Device Discovery
                                1
                                Replication Through Removable Media
                                11
                                Archive Collected Data
                                Exfiltration Over Other Network Medium4
                                Ingress Tool Transfer
                                Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                                Default Accounts2
                                Native API
                                1
                                Registry Run Keys / Startup Folder
                                1
                                Access Token Manipulation
                                11
                                Deobfuscate/Decode Files or Information
                                LSASS Memory1
                                File and Directory Discovery
                                Remote Desktop Protocol211
                                Input Capture
                                Exfiltration Over Bluetooth11
                                Encrypted Channel
                                Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                                Domain AccountsAt (Linux)Logon Script (Windows)12
                                Process Injection
                                31
                                Obfuscated Files or Information
                                Security Account Manager23
                                System Information Discovery
                                SMB/Windows Admin Shares1
                                Clipboard Data
                                Automated Exfiltration1
                                Non-Standard Port
                                Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                                Local AccountsAt (Windows)Logon Script (Mac)1
                                Registry Run Keys / Startup Folder
                                11
                                Software Packing
                                NTDS141
                                Security Software Discovery
                                Distributed Component Object ModelInput CaptureScheduled Transfer1
                                Remote Access Software
                                SIM Card SwapCarrier Billing Fraud
                                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                                DLL Side-Loading
                                LSA Secrets1
                                Process Discovery
                                SSHKeyloggingData Transfer Size Limits3
                                Non-Application Layer Protocol
                                Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                                Replication Through Removable MediaLaunchdRc.commonRc.common1
                                Masquerading
                                Cached Domain Credentials41
                                Virtualization/Sandbox Evasion
                                VNCGUI Input CaptureExfiltration Over C2 Channel14
                                Application Layer Protocol
                                Jamming or Denial of ServiceAbuse Accessibility Features
                                External Remote ServicesScheduled TaskStartup ItemsStartup Items41
                                Virtualization/Sandbox Evasion
                                DCSync1
                                Remote System Discovery
                                Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                                Access Token Manipulation
                                Proc Filesystem11
                                System Network Configuration Discovery
                                Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)12
                                Process Injection
                                /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                                Hidden Files and Directories
                                Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 593806 Sample: steg.exe Startdate: 22/03/2022 Architecture: WINDOWS Score: 100 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 13 other signatures 2->50 7 steg.exe 7 2->7         started        10 WindowsUpdate.exe 7 2->10         started        process3 file4 24 C:\Users\user\AppData\...\Windows Update.exe, PE32 7->24 dropped 26 C:\...\Windows Update.exe:Zone.Identifier, ASCII 7->26 dropped 28 C:\Users\user\AppData\Local\...\steg.exe.log, ASCII 7->28 dropped 13 Windows Update.exe 16 8 7->13         started        30 C:\Users\user\...\WindowsUpdate.exe.log, ASCII 10->30 dropped 52 Antivirus detection for dropped file 10->52 54 Multi AV Scanner detection for dropped file 10->54 56 Machine Learning detection for dropped file 10->56 18 Windows Update.exe 8 10->18         started        signatures5 process6 dnsIp7 36 smtp.gmail.com 108.177.127.109, 49771, 49780, 587 GOOGLEUS United States 13->36 38 whatismyipaddress.com 104.16.155.36, 443, 49769, 49770 CLOUDFLARENETUS United States 13->38 42 2 other IPs or domains 13->42 32 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 13->32 dropped 34 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 13->34 dropped 58 Changes the view of files in windows explorer (hidden files and folders) 13->58 60 Installs a global keyboard hook 13->60 20 dw20.exe 22 6 13->20         started        40 140.244.14.0.in-addr.arpa 18->40 22 dw20.exe 18->22         started        file8 signatures9 process10

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand
                                SourceDetectionScannerLabelLink
                                steg.exe71%VirustotalBrowse
                                steg.exe88%ReversingLabsByteCode-MSIL.Trojan.Golroted
                                steg.exe100%AviraTR/Golroted.xous
                                steg.exe100%AviraTR/Spy.Gen
                                steg.exe100%Joe Sandbox ML
                                SourceDetectionScannerLabelLink
                                C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%AviraTR/Golroted.xous
                                C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%AviraTR/Spy.Gen
                                C:\Users\user\AppData\Roaming\Windows Update.exe100%AviraTR/Golroted.xous
                                C:\Users\user\AppData\Roaming\Windows Update.exe100%AviraTR/Spy.Gen
                                C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%Joe Sandbox ML
                                C:\Users\user\AppData\Roaming\Windows Update.exe100%Joe Sandbox ML
                                C:\Users\user\AppData\Roaming\Windows Update.exe88%ReversingLabsByteCode-MSIL.Trojan.Golroted
                                C:\Users\user\AppData\Roaming\WindowsUpdate.exe88%ReversingLabsByteCode-MSIL.Trojan.Golroted
                                SourceDetectionScannerLabelLinkDownload
                                12.0.WindowsUpdate.exe.2c0000.0.unpack100%AviraTR/Golroted.xousDownload File
                                12.0.WindowsUpdate.exe.2c0000.0.unpack100%AviraTR/Spy.GenDownload File
                                12.2.WindowsUpdate.exe.2c0000.0.unpack100%AviraTR/Golroted.xousDownload File
                                12.2.WindowsUpdate.exe.2c0000.0.unpack100%AviraTR/Spy.GenDownload File
                                14.2.Windows Update.exe.ac0000.0.unpack100%AviraTR/Golroted.xousDownload File
                                14.2.Windows Update.exe.ac0000.0.unpack100%AviraTR/Spy.GenDownload File
                                14.0.Windows Update.exe.ac0000.0.unpack100%AviraTR/Golroted.xousDownload File
                                14.0.Windows Update.exe.ac0000.0.unpack100%AviraTR/Spy.GenDownload File
                                4.0.Windows Update.exe.10000.9.unpack100%AviraTR/Golroted.xousDownload File
                                4.0.Windows Update.exe.10000.9.unpack100%AviraTR/Spy.GenDownload File
                                0.0.steg.exe.f80000.0.unpack100%AviraTR/Golroted.xousDownload File
                                0.0.steg.exe.f80000.0.unpack100%AviraTR/Spy.GenDownload File
                                4.0.Windows Update.exe.10000.6.unpack100%AviraTR/Golroted.xousDownload File
                                4.0.Windows Update.exe.10000.6.unpack100%AviraTR/Spy.GenDownload File
                                4.0.Windows Update.exe.10000.0.unpack100%AviraTR/Golroted.xousDownload File
                                4.0.Windows Update.exe.10000.0.unpack100%AviraTR/Spy.GenDownload File
                                14.0.Windows Update.exe.ac0000.9.unpack100%AviraTR/Golroted.xousDownload File
                                14.0.Windows Update.exe.ac0000.9.unpack100%AviraTR/Spy.GenDownload File
                                14.0.Windows Update.exe.ac0000.3.unpack100%AviraTR/Golroted.xousDownload File
                                14.0.Windows Update.exe.ac0000.3.unpack100%AviraTR/Spy.GenDownload File
                                4.0.Windows Update.exe.10000.3.unpack100%AviraTR/Golroted.xousDownload File
                                4.0.Windows Update.exe.10000.3.unpack100%AviraTR/Spy.GenDownload File
                                14.0.Windows Update.exe.ac0000.6.unpack100%AviraTR/Golroted.xousDownload File
                                14.0.Windows Update.exe.ac0000.6.unpack100%AviraTR/Spy.GenDownload File
                                0.2.steg.exe.f80000.0.unpack100%AviraTR/Golroted.xousDownload File
                                0.2.steg.exe.f80000.0.unpack100%AviraTR/Spy.GenDownload File
                                4.2.Windows Update.exe.10000.0.unpack100%AviraTR/Golroted.xousDownload File
                                4.2.Windows Update.exe.10000.0.unpack100%AviraTR/Spy.GenDownload File
                                No Antivirus matches
                                SourceDetectionScannerLabelLink
                                http://www.sajatypeworks.coman0%Avira URL Cloudsafe
                                http://crl.pki.goog/gsr1/gsr1.crl0;0%URL Reputationsafe
                                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                                https://whatismyipaddress.comx&#q0%Avira URL Cloudsafe
                                http://www.tiro.com0%URL Reputationsafe
                                http://www.fontbureau.comceta0%URL Reputationsafe
                                http://www.goodfont.co.kr0%URL Reputationsafe
                                http://pki.goog/repo/certs/gtsr1.der040%URL Reputationsafe
                                http://www.sajatypeworks.com0%URL Reputationsafe
                                http://www.typography.netD0%URL Reputationsafe
                                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                                http://fontfabrik.com0%URL Reputationsafe
                                http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl00%URL Reputationsafe
                                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                                http://www.tiro.com-0%Avira URL Cloudsafe
                                http://www.sandoll.co.kr0%URL Reputationsafe
                                http://www.urwpp.deDPlease0%URL Reputationsafe
                                http://www.zhongyicts.com.cn0%URL Reputationsafe
                                http://www.sajatypeworks.come0%URL Reputationsafe
                                http://www.sakkal.com0%URL Reputationsafe
                                http://www.fontbureau.comF0%URL Reputationsafe
                                http://www.sajatypeworks.comr0%Avira URL Cloudsafe
                                http://whatismyipaddress.comx&#q0%Avira URL Cloudsafe
                                http://crl.pki.goog/gtsr1/gtsr1.crl0W0%URL Reputationsafe
                                http://pki.goog/gsr1/gsr1.crt020%URL Reputationsafe
                                https://pki.goog/repository/00%URL Reputationsafe
                                http://www.carterandcone.coml0%URL Reputationsafe
                                http://192.99.212.64/WebPanel/log.php?username=0%Avira URL Cloudsafe
                                http://www.founder.com.cn/cn0%URL Reputationsafe
                                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                                https://000001BB00000050.oeaccount0%Avira URL Cloudsafe
                                http://www.fontbureau.como0%URL Reputationsafe
                                http://pki.goog/repo/certs/gts1c3.der00%URL Reputationsafe
                                http://whatismyipaddress.comx&#qH0%Avira URL Cloudsafe
                                NameIPActiveMaliciousAntivirus DetectionReputation
                                whatismyipaddress.com
                                104.16.155.36
                                truefalse
                                  high
                                  smtp.gmail.com
                                  108.177.127.109
                                  truefalse
                                    high
                                    140.244.14.0.in-addr.arpa
                                    unknown
                                    unknownfalse
                                      high
                                      NameMaliciousAntivirus DetectionReputation
                                      http://whatismyipaddress.com/false
                                        high
                                        https://whatismyipaddress.com/false
                                          high
                                          NameSourceMaliciousAntivirus DetectionReputation
                                          http://www.fontbureau.com/designersGsteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.sajatypeworks.comansteg.exe, 00000000.00000003.238498642.0000000005B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://crl.pki.goog/gsr1/gsr1.crl0;Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://accounts.google.com/serviceloginWindows Update.exefalse
                                              high
                                              http://www.fontbureau.com/designers/?steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://www.founder.com.cn/cn/bThesteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://whatismyipaddress.comx&#qWindows Update.exe, 00000004.00000002.302601416.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359863532.00000000037CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                low
                                                http://www.fontbureau.com/designers?steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.tiro.comsteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.fontbureau.comcetasteg.exe, 00000000.00000002.282794330.0000000001727000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.fontbureau.com/designerssteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://my.screenname.aol.com/_cqr/login/login.pspWindows Update.exefalse
                                                      high
                                                      http://www.goodfont.co.krsteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://support.google.com/mail/?p=WantAuthErrorWindows Update.exe, 0000000E.00000002.360008316.000000000382A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://pki.goog/repo/certs/gtsr1.der04Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://slashdot.org/bookmark.plWindows Update.exefalse
                                                          high
                                                          http://www.sajatypeworks.comsteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.typography.netDsteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.founder.com.cn/cn/cThesteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.galapagosdesign.com/staff/dennis.htmsteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://fontfabrik.comsteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://dyn.com/dns//steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drfalse
                                                            high
                                                            http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360008316.000000000382A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://whatismyipaddress.com/-steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drfalse
                                                              high
                                                              http://www.galapagosdesign.com/DPleasesteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.tiro.com-steg.exe, 00000000.00000003.243445751.0000000005B88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              low
                                                              https://signin.ebay.com/ws/ebayisapi.dllWindows Update.exefalse
                                                                high
                                                                https://login.yahoo.com/config/loginWindows Update.exefalse
                                                                  high
                                                                  http://www.fonts.comsteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://www.linkedin.com/Windows Update.exefalse
                                                                      high
                                                                      http://www.sandoll.co.krsteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      http://digg.comWindows Update.exefalse
                                                                        high
                                                                        http://www.urwpp.deDPleasesteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://www.zhongyicts.com.cnsteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://www.sajatypeworks.comesteg.exe, 00000000.00000003.238498642.0000000005B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://www.sakkal.comsteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://support.google.com/mail/?p=BadCredentialsWindows Update.exe, 0000000E.00000002.360008316.000000000382A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://www.apache.org/licenses/LICENSE-2.0steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://www.fontbureau.comsteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://whatismyipaddress.comWindows Update.exe, 00000004.00000002.302601416.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359863532.00000000037CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://www.fontbureau.comFsteg.exe, 00000000.00000002.282794330.0000000001727000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                http://www.sajatypeworks.comrsteg.exe, 00000000.00000003.238498642.0000000005B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                unknown
                                                                                http://dyn.com/dns/Windows Update.exefalse
                                                                                  high
                                                                                  http://whatismyipaddress.comx&#qWindows Update.exe, 0000000E.00000002.359863532.00000000037CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  low
                                                                                  http://www.reddit.com/loginWindows Update.exefalse
                                                                                    high
                                                                                    http://crl.pki.goog/gtsr1/gtsr1.crl0WWindows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    http://whatismyipaddress.comWindows Update.exe, 00000004.00000002.301961765.000000000276D000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359319845.00000000033DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://www.stumbleupon.com/sign_up.phpWindows Update.exefalse
                                                                                        high
                                                                                        http://pki.goog/gsr1/gsr1.crt02Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        unknown
                                                                                        https://twitter.com/Windows Update.exefalse
                                                                                          high
                                                                                          https://pki.goog/repository/0Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          unknown
                                                                                          http://www.myspace.comWindows Update.exefalse
                                                                                            high
                                                                                            http://www.carterandcone.comlsteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            unknown
                                                                                            https://www.cloudflare.com/5xx-error-landingWindows Update.exe, 00000004.00000002.302601416.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359863532.00000000037CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              http://twitter.com/Windows Update.exefalse
                                                                                                high
                                                                                                http://192.99.212.64/WebPanel/log.php?username=Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                unknown
                                                                                                http://www.fontbureau.com/designers/cabarga.htmlNsteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  http://www.founder.com.cn/cnsteg.exe, 00000000.00000003.243241778.0000000005B88000.00000004.00000800.00020000.00000000.sdmp, steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  unknown
                                                                                                  http://www.fontbureau.com/designers/frere-user.htmlsteg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://pinterest.com/login/Windows Update.exefalse
                                                                                                      high
                                                                                                      https://www.amazon.com/ap/signin/190-9059340-4656153Windows Update.exefalse
                                                                                                        high
                                                                                                        https://www.noip.com/Windows Update.exe, Windows Update.exe, 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, steg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drfalse
                                                                                                          high
                                                                                                          http://www.jiyu-kobo.co.jp/steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          https://000001BB00000050.oeaccountsteg.exe, WindowsUpdate.exe.4.dr, Windows Update.exe.0.drfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          unknown
                                                                                                          http://www.fontbureau.comosteg.exe, 00000000.00000002.282794330.0000000001727000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          http://www.fontbureau.com/designers8steg.exe, 00000000.00000002.283720083.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://www.google.com/accounts/serviceloginWindows Update.exefalse
                                                                                                              high
                                                                                                              https://www.amazon.com/gp/css/homepage.htmlWindows Update.exefalse
                                                                                                                high
                                                                                                                http://pki.goog/repo/certs/gts1c3.der0Windows Update.exe, 00000004.00000002.303327617.0000000005F06000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.302708796.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000004.00000002.303247628.0000000005ECF000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360478995.0000000007506000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.359982109.0000000003824000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000000E.00000002.360008316.000000000382A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                unknown
                                                                                                                http://whatismyipaddress.comx&#qHWindows Update.exe, 00000004.00000002.301961765.000000000276D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                low
                                                                                                                https://myspace.comWindows Update.exefalse
                                                                                                                  high
                                                                                                                  • No. of IPs < 25%
                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                  • 75% < No. of IPs
                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                  104.16.155.36
                                                                                                                  whatismyipaddress.comUnited States
                                                                                                                  13335CLOUDFLARENETUSfalse
                                                                                                                  108.177.127.109
                                                                                                                  smtp.gmail.comUnited States
                                                                                                                  15169GOOGLEUSfalse
                                                                                                                  IP
                                                                                                                  192.168.2.1
                                                                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                  Analysis ID:593806
                                                                                                                  Start date and time:2022-03-22 02:34:19 +01:00
                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                  Overall analysis duration:0h 13m 33s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:light
                                                                                                                  Sample file name:steg.exe
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                  Number of analysed new started processes analysed:21
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:0
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • HDC enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@10/15@9/3
                                                                                                                  EGA Information:
                                                                                                                  • Successful, ratio: 75%
                                                                                                                  HDC Information:
                                                                                                                  • Successful, ratio: 2.6% (good quality ratio 2.4%)
                                                                                                                  • Quality average: 57.9%
                                                                                                                  • Quality standard deviation: 28.3%
                                                                                                                  HCA Information:
                                                                                                                  • Successful, ratio: 100%
                                                                                                                  • Number of executed functions: 0
                                                                                                                  • Number of non-executed functions: 0
                                                                                                                  Cookbook Comments:
                                                                                                                  • Adjust boot time
                                                                                                                  • Enable AMSI
                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                  • Excluded IPs from analysis (whitelisted): 52.182.143.212, 20.189.173.20
                                                                                                                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                                                                                                                  • Execution Graph export aborted for target Windows Update.exe, PID 7000 because there are no executed function
                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                  TimeTypeDescription
                                                                                                                  03:35:50API Interceptor24x Sleep call for process: Windows Update.exe modified
                                                                                                                  03:35:53API Interceptor2x Sleep call for process: dw20.exe modified
                                                                                                                  03:35:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                  03:36:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                  No context
                                                                                                                  No context
                                                                                                                  No context
                                                                                                                  No context
                                                                                                                  No context
                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):65536
                                                                                                                  Entropy (8bit):1.308745717009357
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:Vpgu5sGzOe63aPLk9Mg5N3gFm1pzvTkyK81X+tXyXyE/u7siS274It:J5siOjayRvw06nE/u7siX4It
                                                                                                                  MD5:B342D04C5AE75D98E4FAEB0840B0B5F2
                                                                                                                  SHA1:F8FEB8B0BA5852FED3A968B56EC0C31979DA7379
                                                                                                                  SHA-256:E6FA2CC142861D08C8BE0D2BD56486245936A8FC6CB6C6DE142B774EA30CB8E9
                                                                                                                  SHA-512:B82C039FBF572D8EA2CA8454988E3D8E13CA79BEDD8D30E3D3260EF408FDED28FA04636C74AC4AFD7DF2B45A99610447414E5AAC596CE716BE542EDF85172893
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.2.3.9.0.1.7.8.3.0.4.1.3.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.2.3.9.0.1.7.9.2.1.0.3.6.9.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.4.1.e.7.6.9.-.1.6.e.d.-.4.0.1.b.-.8.8.3.a.-.2.f.0.2.4.e.6.c.2.f.d.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.t.u.b...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.f.4.-.0.0.0.1.-.0.0.1.c.-.b.9.d.d.-.7.2.9.5.9.5.3.d.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.b.9.f.5.b.c.b.3.4.3.d.1.3.2.4.c.4.6.6.7.3.1.b.0.0.7.c.1.f.8.e.0.0.0.0.0.0.0.0.!.0.0.0.0.d.7.0.2.f.f.a.a.c.8.b.f.3.5.f.3.3.7.2.e.f.2.c.3.1.0.b.2.1.e.e.f.8.a.9.1.f.6.e.a.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.5././.0.4././.0.9.:.0.4.:.5.8.:.4.6.!.0.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.
                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):65536
                                                                                                                  Entropy (8bit):1.3149700454264321
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:VKMk/sGzNe63aKsn9fbeN9M2v1zzv9kXZKIgjIRcMbu/u7siS274It:G/siNjaEdvO1nbu/u7siX4It
                                                                                                                  MD5:9DD407AF23C9BED0015D6D10A84A29D3
                                                                                                                  SHA1:FD2A24B6E56730ABD196C6AE99500A58260ECD19
                                                                                                                  SHA-256:CD3D2B403E849B3415E6710305A7FA1C3424C515F9F082180DFB0688324C13B2
                                                                                                                  SHA-512:388AD6A72B0103CC554E7FCE22118DBE7CE95EC4446F4478B185594468E6075BD67B2322BFD7144F73C45EE8E1ADF05C1E7E536AD20B06451F1C7CAF4AD91D4A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.2.3.9.0.1.5.1.7.6.2.6.7.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.2.3.9.0.1.5.2.5.1.2.6.5.5.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.2.c.d.e.e.3.-.8.0.2.2.-.4.8.1.7.-.8.c.b.0.-.e.2.1.e.c.1.d.6.d.1.f.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.t.u.b...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.8.-.0.0.0.1.-.0.0.1.c.-.2.0.3.8.-.a.1.8.6.9.5.3.d.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.b.9.f.5.b.c.b.3.4.3.d.1.3.2.4.c.4.6.6.7.3.1.b.0.0.7.c.1.f.8.e.0.0.0.0.0.0.0.0.!.0.0.0.0.d.7.0.2.f.f.a.a.c.8.b.f.3.5.f.3.3.7.2.e.f.2.c.3.1.0.b.2.1.e.e.f.8.a.9.1.f.6.e.a.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.5././.0.4././.0.9.:.0.4.:.5.8.:.4.6.!.0.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.
                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):7638
                                                                                                                  Entropy (8bit):3.685492785123007
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:Rrl7r3GLNig56Pgv6YRO6+gmfZiSW+p1b61f2Jm:RrlsNiO6I6Yo6+gmf4SbbQfp
                                                                                                                  MD5:866A56B5FB111E45F768C6284D40346F
                                                                                                                  SHA1:95432D9402FD807511804CFF3B4D70056BC4FA89
                                                                                                                  SHA-256:A4D82922BBDCE338B22C867B0652C0265B116F54DBBFA7F617DDB323A3C15377
                                                                                                                  SHA-512:0410944F05D7B4C9C864F75A4A7F6C22E30F361FD95E4D2907A355376ABF0F8DC13D0247E04822037B8983B3EE4BF78DD59E2E6A52B4DEB08CE9304D047602C2
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.0.<./.P.i.d.>.......
                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4693
                                                                                                                  Entropy (8bit):4.449132467269561
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cvIwSD8zsfJgtWI9SMWgc8sqYji8fm8M4JFK85xFJO+q8vj5AC+dOnVQEAEd:uITfBtlgrsqYrJFKy4KdACzVQEAEd
                                                                                                                  MD5:0C8D726E73F002B17F723F950C9CF9B8
                                                                                                                  SHA1:ACD71058C2FD5FCDDFF9F3BF7DAC96CCB4613D50
                                                                                                                  SHA-256:4467028406D5764C380B8E97DADFEA283CCE0105759D3A93623477BE88868E2A
                                                                                                                  SHA-512:4CA85B157BF51EAEA19259E34CAF163939F338C4E493A8F0057AE75629A754CF6245AAA310E9F257A137402138465B7E3C38BBD4B8CC121B5E8C8F54F3E328B9
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1437826" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):7642
                                                                                                                  Entropy (8bit):3.684063614647202
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:Rrl7r3GLNi7g6I6YO+6ZgmfZiSW+p1Ny1f8Pm:RrlsNi86I6Yf6Zgmf4SbNofJ
                                                                                                                  MD5:D115B32576A0D5FFD2448BFB47AF4C9A
                                                                                                                  SHA1:574BC5FF44E734B18CB42E6ACB97F441CCAD1360
                                                                                                                  SHA-256:BBF66801682AE643BF8CDDAFF2225C5C529E6FB40694306B8FF0FACB75664EEC
                                                                                                                  SHA-512:5E781A249369F6D2255717BAFD44F0C0BEF88AEE7697077FB469F594DC2AC8D33D5AC8F3E3C4C0DFE4551CE4ECCD3BC0303BD1071C89B87EAECAC16C717C79F9
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.7.6.<./.P.i.d.>.......
                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4693
                                                                                                                  Entropy (8bit):4.450845819338463
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cvIwSD8zsfJgtWI9SMWgc8sqYjsz8fm8M4JFK85xFg+q8vj52z6+dOnVQEREd:uITfBtlgrsqYPJFKyMKdq6zVQEREd
                                                                                                                  MD5:9AA1F9B81F8152D17378B8C185247354
                                                                                                                  SHA1:B7A2AD40F56ED159255C18CA4BF67D2DD99F64FB
                                                                                                                  SHA-256:407DC00DC0733E4EC0225CC6FB9A89868954CD408ECC08AE5D76AB0C5DB47102
                                                                                                                  SHA-512:934F4FC98C318712844166E7CB5E8BA8B0320DB7F50F306BB50DF8D4AE434F9AAC69F03EBCDDB8FD87EB5DB5792AE07F9D3CEFB4C0626213C08296A8B94C08A9
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1437826" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                  Process:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):664
                                                                                                                  Entropy (8bit):5.288448637977022
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                                                                                                                  MD5:B1DB55991C3DA14E35249AEA1BC357CA
                                                                                                                  SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                                                                                                                  SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                                                                                                                  SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..
                                                                                                                  Process:C:\Users\user\Desktop\steg.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):664
                                                                                                                  Entropy (8bit):5.288448637977022
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                                                                                                                  MD5:B1DB55991C3DA14E35249AEA1BC357CA
                                                                                                                  SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                                                                                                                  SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                                                                                                                  SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..
                                                                                                                  Process:C:\Users\user\Desktop\steg.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):48
                                                                                                                  Entropy (8bit):4.304047012067739
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:oNt+kiEaKC59KuCa:oNwknaZ5v
                                                                                                                  MD5:7C20EC9581869DA3A05E18186353A4B2
                                                                                                                  SHA1:210CC52C845FF85B36F422F4C36CA29DB3666482
                                                                                                                  SHA-256:23B52B6D0ABD0A0D20690B742429AD1B465D7050535E8FDDB85BF45A8498A4B0
                                                                                                                  SHA-512:4CED524729759783EA4783EE98650E6D912D8DAC53386E2DA3C812FE83F40FB1EB97C71521DF380191D399E284D0D94126BD5FC2CBD18B76142EC3A9E97FADA0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                  Process:C:\Users\user\Desktop\steg.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1167872
                                                                                                                  Entropy (8bit):6.562432865407771
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:IoLTkXBwWja4SlukeeKL0xJaqT//aqT8E94Tf3C:Nx6
                                                                                                                  MD5:30747BB37997B54D37BAE65AE590B7E8
                                                                                                                  SHA1:D702FFAAC8BF35F3372EF2C310B21EEF8A91F6EA
                                                                                                                  SHA-256:A39F2E3D1A27BD091C689A09499B374E5F6743DE23B42BFD9C7A17C1D49DFAD7
                                                                                                                  SHA-512:CBC7864F127574F1BCB20A442B83D394320BF325F73E75BC6FA8A2EDBBC568EF79973820A672F2340BA5379B9E6EA12C3BB518346B4D702280E9F595D2722322
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: SecurityXploded_Producer_String, Description: Detects hacktools by SecurityXploded, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Florian Roth
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 88%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&U.....................4........... ........@.. ....................... ............@....................................O........2........................................................................... ............... ..H............text...$.... ...................... ..`.rsrc....2.......2..................@..@.reloc..............................@..B........................H...........L................U..........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......
                                                                                                                  Process:C:\Users\user\Desktop\steg.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):26
                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:[ZoneTransfer]....ZoneId=0
                                                                                                                  Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1167872
                                                                                                                  Entropy (8bit):6.562432865407771
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:IoLTkXBwWja4SlukeeKL0xJaqT//aqT8E94Tf3C:Nx6
                                                                                                                  MD5:30747BB37997B54D37BAE65AE590B7E8
                                                                                                                  SHA1:D702FFAAC8BF35F3372EF2C310B21EEF8A91F6EA
                                                                                                                  SHA-256:A39F2E3D1A27BD091C689A09499B374E5F6743DE23B42BFD9C7A17C1D49DFAD7
                                                                                                                  SHA-512:CBC7864F127574F1BCB20A442B83D394320BF325F73E75BC6FA8A2EDBBC568EF79973820A672F2340BA5379B9E6EA12C3BB518346B4D702280E9F595D2722322
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: SecurityXploded_Producer_String, Description: Detects hacktools by SecurityXploded, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Florian Roth
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 88%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&U.....................4........... ........@.. ....................... ............@....................................O........2........................................................................... ............... ..H............text...$.... ...................... ..`.rsrc....2.......2..................@..@.reloc..............................@..B........................H...........L................U..........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......
                                                                                                                  Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):26
                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:[ZoneTransfer]....ZoneId=0
                                                                                                                  Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4
                                                                                                                  Entropy (8bit):2.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Ign:Ig
                                                                                                                  MD5:FDC0EB412A84FA549AFE68373D9087E9
                                                                                                                  SHA1:6E56295615BE063470CE266ABB0F949F84090CCD
                                                                                                                  SHA-256:E5FCF24812E6585EAC0EA6F1A5E3AB5A16B8C2B9568C10B4175EA088AAEAE014
                                                                                                                  SHA-512:6CE827A2F598C3C3E56D4BBE94632663848E24AAAB476302E905624EAD8047CB03119CA5655009ABD71FCE493089A7E654298CD9D93FAE2A99101E5E637B29DC
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:5876
                                                                                                                  Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):49
                                                                                                                  Entropy (8bit):4.359935487883289
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:oNt+kiEaKC59KYr4a:oNwknaZ534a
                                                                                                                  MD5:EAB5D702695BC09B3A1E675917747986
                                                                                                                  SHA1:CCB1F880801A3826B484428802F66BDCCEDFF0B6
                                                                                                                  SHA-256:9E90C44A450FAD02151EC509448B88382B55A7CDC65D32EA970B9AE13C909709
                                                                                                                  SHA-512:7328E450F4E3AE277F5F30BAFC0D7D73835AEC39544A999A2A6D08DC6A20BF83874D7D3C5D8B24764F0C432D9A4F0A697377E27E89A5A4FC260E9041D7CF2EA6
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Entropy (8bit):6.562432865407771
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.69%
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.65%
                                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                  • InstallShield setup (43055/19) 0.21%
                                                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                                                  File name:steg.exe
                                                                                                                  File size:1167872
                                                                                                                  MD5:30747bb37997b54d37bae65ae590b7e8
                                                                                                                  SHA1:d702ffaac8bf35f3372ef2c310b21eef8a91f6ea
                                                                                                                  SHA256:a39f2e3d1a27bd091c689a09499b374e5f6743de23b42bfd9c7a17c1d49dfad7
                                                                                                                  SHA512:cbc7864f127574f1bcb20a442b83d394320bf325f73e75bc6fa8a2edbbc568ef79973820a672f2340ba5379b9e6ea12c3bb518346b4d702280e9f595d2722322
                                                                                                                  SSDEEP:24576:IoLTkXBwWja4SlukeeKL0xJaqT//aqT8E94Tf3C:Nx6
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&U.....................4........... ........@.. ....................... ............@................................
                                                                                                                  Icon Hash:41455554545445a2
                                                                                                                  Entrypoint:0x51bb1e
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                  Time Stamp:0x55260706 [Thu Apr 9 04:58:46 2015 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:v2.0.50727
                                                                                                                  OS Version Major:4
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:4
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:4
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                                                  Instruction
                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x11bacc0x4f.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x11c0000x3200.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1200000xc.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x20000x119b240x119c00False0.521700137256data6.57631984878IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                  .rsrc0x11c0000x32000x3200False0.105546875data3.584800479IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0x1200000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                  RT_ICON0x11c4e00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2004318071, next used block 4286019447
                                                                                                                  RT_ICON0x11c7c80x128GLS_BINARY_LSB_FIRST
                                                                                                                  RT_ICON0x11c8f00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                                                                                                  RT_ICON0x11d1980x568GLS_BINARY_LSB_FIRST
                                                                                                                  RT_ICON0x11d7000x353PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                                  RT_ICON0x11da580x10a8data
                                                                                                                  RT_ICON0x11eb000x468GLS_BINARY_LSB_FIRST
                                                                                                                  RT_GROUP_ICON0x11ef680x68data
                                                                                                                  RT_VERSION0x11c2500x290MS Windows COFF PA-RISC object file
                                                                                                                  RT_MANIFEST0x11efd00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  DLLImport
                                                                                                                  mscoree.dll_CorExeMain
                                                                                                                  DescriptionData
                                                                                                                  Translation0x0000 0x04b0
                                                                                                                  LegalCopyrightCopyright 2014
                                                                                                                  Assembly Version1.0.0.0
                                                                                                                  InternalNameStub.exe
                                                                                                                  FileVersion1.0.0.0
                                                                                                                  ProductNameStub
                                                                                                                  ProductVersion1.0.0.0
                                                                                                                  FileDescriptionStub
                                                                                                                  OriginalFilenameStub.exe
                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Mar 22, 2022 03:35:49.548432112 CET4976980192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:49.564968109 CET8049769104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:49.565078020 CET4976980192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:49.565628052 CET4976980192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:49.581891060 CET8049769104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:49.603715897 CET8049769104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:49.648091078 CET4976980192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:49.651738882 CET49770443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:49.651789904 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:49.651904106 CET49770443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:49.919837952 CET49770443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:49.919884920 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:49.970504045 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:49.970649958 CET49770443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:49.973957062 CET49770443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:49.973985910 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:49.974384069 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:50.138685942 CET49770443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:50.471261024 CET49770443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:50.502497911 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:50.502588987 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:50.502660990 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:50.502712011 CET49770443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:50.502718925 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:50.502758026 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:50.502784014 CET49770443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:50.502826929 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:50.502887964 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:50.502948046 CET49770443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:50.502959967 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:50.503032923 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:50.503056049 CET49770443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:50.503070116 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:50.503156900 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:50.503276110 CET49770443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:50.503299952 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:50.503324986 CET44349770104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:50.503488064 CET49770443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:50.503504992 CET49770443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:50.510982990 CET49770443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:51.510516882 CET4976980192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:51.527602911 CET8049769104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:51.527678967 CET4976980192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:35:51.615544081 CET49771587192.168.2.4108.177.127.109
                                                                                                                  Mar 22, 2022 03:35:51.642159939 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:51.642265081 CET49771587192.168.2.4108.177.127.109
                                                                                                                  Mar 22, 2022 03:35:52.781536102 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:52.781826973 CET49771587192.168.2.4108.177.127.109
                                                                                                                  Mar 22, 2022 03:35:52.808290005 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:52.813298941 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:52.813864946 CET49771587192.168.2.4108.177.127.109
                                                                                                                  Mar 22, 2022 03:35:52.840512037 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:52.841029882 CET49771587192.168.2.4108.177.127.109
                                                                                                                  Mar 22, 2022 03:35:52.867722034 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:52.867769957 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:52.867809057 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:52.867837906 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:52.867841959 CET49771587192.168.2.4108.177.127.109
                                                                                                                  Mar 22, 2022 03:35:52.867891073 CET49771587192.168.2.4108.177.127.109
                                                                                                                  Mar 22, 2022 03:35:52.874455929 CET49771587192.168.2.4108.177.127.109
                                                                                                                  Mar 22, 2022 03:35:52.901079893 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:52.913222075 CET49771587192.168.2.4108.177.127.109
                                                                                                                  Mar 22, 2022 03:35:52.939934015 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:52.941560984 CET49771587192.168.2.4108.177.127.109
                                                                                                                  Mar 22, 2022 03:35:52.968317986 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:52.969223022 CET49771587192.168.2.4108.177.127.109
                                                                                                                  Mar 22, 2022 03:35:53.000490904 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:53.186350107 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:53.187505007 CET49771587192.168.2.4108.177.127.109
                                                                                                                  Mar 22, 2022 03:35:53.213756084 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:53.214073896 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:53.420264959 CET49771587192.168.2.4108.177.127.109
                                                                                                                  Mar 22, 2022 03:35:53.446252108 CET58749771108.177.127.109192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:53.448362112 CET49771587192.168.2.4108.177.127.109
                                                                                                                  Mar 22, 2022 03:35:57.867176056 CET49771587192.168.2.4108.177.127.109
                                                                                                                  Mar 22, 2022 03:36:14.397748947 CET4977880192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:36:14.414284945 CET8049778104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:14.414541006 CET4977880192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:36:14.415174961 CET4977880192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:36:14.432487011 CET8049778104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:14.441380978 CET8049778104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:14.476999998 CET49779443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:36:14.477051020 CET44349779104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:14.477332115 CET49779443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:36:14.641254902 CET4977880192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:36:15.152592897 CET49779443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:36:15.152631998 CET44349779104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:15.192732096 CET44349779104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:15.192898035 CET49779443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:36:15.232606888 CET49779443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:36:15.232662916 CET44349779104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:15.233402014 CET44349779104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:15.438199997 CET44349779104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:15.441008091 CET49779443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:36:16.405088902 CET49779443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:36:16.430988073 CET44349779104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:16.431046009 CET44349779104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:16.431090117 CET44349779104.16.155.36192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:16.431113958 CET49779443192.168.2.4104.16.155.36
                                                                                                                  Mar 22, 2022 03:36:16.431128025 CET44349779104.16.155.36192.168.2.4
                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Mar 22, 2022 03:35:49.153886080 CET5774753192.168.2.48.8.8.8
                                                                                                                  Mar 22, 2022 03:35:49.172836065 CET53577478.8.8.8192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:49.480837107 CET5817153192.168.2.48.8.8.8
                                                                                                                  Mar 22, 2022 03:35:49.502553940 CET53581718.8.8.8192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:49.614589930 CET5759453192.168.2.48.8.8.8
                                                                                                                  Mar 22, 2022 03:35:49.636188030 CET53575948.8.8.8192.168.2.4
                                                                                                                  Mar 22, 2022 03:35:51.556113005 CET6051253192.168.2.48.8.8.8
                                                                                                                  Mar 22, 2022 03:35:51.583343983 CET53605128.8.8.8192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:12.834089994 CET5247253192.168.2.48.8.8.8
                                                                                                                  Mar 22, 2022 03:36:13.878803968 CET5247253192.168.2.48.8.8.8
                                                                                                                  Mar 22, 2022 03:36:13.895982027 CET53524728.8.8.8192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:14.321674109 CET6235453192.168.2.48.8.8.8
                                                                                                                  Mar 22, 2022 03:36:14.345383883 CET53623548.8.8.8192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:14.452385902 CET5006153192.168.2.48.8.8.8
                                                                                                                  Mar 22, 2022 03:36:14.475357056 CET53500618.8.8.8192.168.2.4
                                                                                                                  Mar 22, 2022 03:36:18.751650095 CET6061253192.168.2.48.8.8.8
                                                                                                                  Mar 22, 2022 03:36:18.791414976 CET53606128.8.8.8192.168.2.4
                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                  Mar 22, 2022 03:35:49.153886080 CET192.168.2.48.8.8.80x88e5Standard query (0)140.244.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:35:49.480837107 CET192.168.2.48.8.8.80x74aaStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:35:49.614589930 CET192.168.2.48.8.8.80xa390Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:35:51.556113005 CET192.168.2.48.8.8.80x6013Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:36:12.834089994 CET192.168.2.48.8.8.80xfeaaStandard query (0)140.244.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:36:13.878803968 CET192.168.2.48.8.8.80xfeaaStandard query (0)140.244.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:36:14.321674109 CET192.168.2.48.8.8.80xadccStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:36:14.452385902 CET192.168.2.48.8.8.80x107aStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:36:18.751650095 CET192.168.2.48.8.8.80xbc04Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)
                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                  Mar 22, 2022 03:35:49.172836065 CET8.8.8.8192.168.2.40x88e5Name error (3)140.244.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:35:49.502553940 CET8.8.8.8192.168.2.40x74aaNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:35:49.502553940 CET8.8.8.8192.168.2.40x74aaNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:35:49.636188030 CET8.8.8.8192.168.2.40xa390No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:35:49.636188030 CET8.8.8.8192.168.2.40xa390No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:35:51.583343983 CET8.8.8.8192.168.2.40x6013No error (0)smtp.gmail.com108.177.127.109A (IP address)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:36:13.895982027 CET8.8.8.8192.168.2.40xfeaaName error (3)140.244.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:36:14.345383883 CET8.8.8.8192.168.2.40xadccNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:36:14.345383883 CET8.8.8.8192.168.2.40xadccNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:36:14.475357056 CET8.8.8.8192.168.2.40x107aNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:36:14.475357056 CET8.8.8.8192.168.2.40x107aNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                                  Mar 22, 2022 03:36:18.791414976 CET8.8.8.8192.168.2.40xbc04No error (0)smtp.gmail.com108.177.127.109A (IP address)IN (0x0001)
                                                                                                                  • whatismyipaddress.com
                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  0192.168.2.449770104.16.155.36443C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  1192.168.2.449779104.16.155.36443C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  2192.168.2.449769104.16.155.3680C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Mar 22, 2022 03:35:49.565628052 CET1104OUTGET / HTTP/1.1
                                                                                                                  Host: whatismyipaddress.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Mar 22, 2022 03:35:49.603715897 CET1105INHTTP/1.1 301 Moved Permanently
                                                                                                                  Date: Tue, 22 Mar 2022 02:35:49 GMT
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: max-age=3600
                                                                                                                  Expires: Tue, 22 Mar 2022 03:35:49 GMT
                                                                                                                  Location: https://whatismyipaddress.com/
                                                                                                                  Set-Cookie: __cf_bm=53QQMXpMPcCLJhnrIhd4uQwKhvaVHuWdUaSUkQg8t4I-1647916549-0-AUj7mvNv//2DvTFG4Z2Izur5CTRXly0PLgi+Eoke1sPCjDbZRbjgA0S1wra+DbdqzomCsUSjeQ9lMSr7AJQww78=; path=/; expires=Tue, 22-Mar-22 03:05:49 GMT; domain=.whatismyipaddress.com; HttpOnly
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 6efb8942dde4917d-FRA
                                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  3192.168.2.449778104.16.155.3680C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Mar 22, 2022 03:36:14.415174961 CET1174OUTGET / HTTP/1.1
                                                                                                                  Host: whatismyipaddress.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Mar 22, 2022 03:36:14.441380978 CET1175INHTTP/1.1 301 Moved Permanently
                                                                                                                  Date: Tue, 22 Mar 2022 02:36:14 GMT
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: max-age=3600
                                                                                                                  Expires: Tue, 22 Mar 2022 03:36:14 GMT
                                                                                                                  Location: https://whatismyipaddress.com/
                                                                                                                  Set-Cookie: __cf_bm=4UcEFWn2A0cXPWmi9m4gedKGvZ4R41yYQP961Y5orhY-1647916574-0-AdqrTQrrEaUMa8pC2Ntu4bvgq2aGdo0Y8pidThm2inGzesessW4gsye/bsITcXYt2CUpVvXr7H1h6Rf/nUzG1WI=; path=/; expires=Tue, 22-Mar-22 03:06:14 GMT; domain=.whatismyipaddress.com; HttpOnly
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 6efb89de28039974-FRA
                                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  0192.168.2.449770104.16.155.36443C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  2022-03-22 02:35:50 UTC0OUTGET / HTTP/1.1
                                                                                                                  Host: whatismyipaddress.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2022-03-22 02:35:50 UTC0INHTTP/1.1 403 Forbidden
                                                                                                                  Date: Tue, 22 Mar 2022 02:35:50 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  CF-Chl-Bypass: 1
                                                                                                                  Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
                                                                                                                  Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                                  Set-Cookie: __cf_bm=3T2zMhWJGUJiFvFygp4Ze35_fGFAV8AUcX3bmxdV52o-1647916550-0-AY8ARkBKAY0npUTkZLgdxWJqOZhqmSjbY7aXc+zs0c6A/7TMhypnyvrbA2CHANpeBLYSTVgqKfJygLjIYrQUBFI=; path=/; expires=Tue, 22-Mar-22 03:05:50 GMT; domain=.whatismyipaddress.com; HttpOnly; Secure
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 6efb89487ef75c7a-FRA
                                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                  2022-03-22 02:35:50 UTC1INData Raw: 33 33 62 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                                                                  Data Ascii: 33b1<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                                                                  2022-03-22 02:35:50 UTC1INData Raw: 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 3c 74 69 74 6c 65 3e 50 6c 65 61 73 65 20 57 61 69 74 2e 2e 2e 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 61 70 74 63 68 61 2d 62 79 70 61 73 73 22 20 69 64 3d 22 63 61 70 74 63 68 61 2d 62 79 70 61 73 73 22 20 2f 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22
                                                                                                                  Data Ascii: o-js" lang="en-US"> ...<![endif]--><head><title>Please Wait... | Cloudflare</title> <meta name="captcha-bypass" id="captcha-bypass" /><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="
                                                                                                                  2022-03-22 02:35:50 UTC2INData Raw: 47 7a 4e 42 31 45 22 2c 0a 20 20 20 20 20 20 20 20 63 46 50 57 76 3a 20 22 62 22 2c 0a 20 20 20 20 20 20 20 20 63 54 54 69 6d 65 4d 73 3a 20 22 31 30 30 30 22 2c 0a 20 20 20 20 20 20 20 20 63 4c 74 3a 20 22 6e 22 2c 0a 20 20 20 20 20 20 20 20 63 52 71 3a 20 7b 0a 20 20 20 20 20 20 20 20 20 20 72 75 3a 20 22 61 48 52 30 63 48 4d 36 4c 79 39 33 61 47 46 30 61 58 4e 74 65 57 6c 77 59 57 52 6b 63 6d 56 7a 63 79 35 6a 62 32 30 76 22 2c 0a 20 20 20 20 20 20 20 20 20 20 72 61 3a 20 22 22 2c 0a 20 20 20 20 20 20 20 20 20 20 72 6d 3a 20 22 52 30 56 55 22 2c 0a 20 20 20 20 20 20 20 20 20 20 64 3a 20 22 58 30 51 56 7a 47 56 31 36 51 4e 58 35 5a 70 65 70 6c 68 62 76 6c 46 70 79 51 72 50 36 41 70 4d 4f 59 46 4c 78 4f 51 51 75 31 30 2f 39 51 65 68 65 6d 65 6c 62 76 6a
                                                                                                                  Data Ascii: GzNB1E", cFPWv: "b", cTTimeMs: "1000", cLt: "n", cRq: { ru: "aHR0cHM6Ly93aGF0aXNteWlwYWRkcmVzcy5jb20v", ra: "", rm: "R0VU", d: "X0QVzGV16QNX5ZpeplhbvlFpyQrP6ApMOYFLxOQQu10/9Qehemelbvj
                                                                                                                  2022-03-22 02:35:50 UTC4INData Raw: 3a 36 39 70 78 3b 20 6d 61 72 67 69 6e 3a 20 20 61 75 74 6f 3b 7d 0a 20 20 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 70 6c 65 61 73 65 2d 77 61 69 74 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 0a 20 20 2e 61 74 74 72 69 62 75 74 69 6f 6e 20 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 32 70 78 3b 7d 0a 20 20 2e 62 75 62 62 6c 65 73 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 38 32 32 30 3b 20 77 69 64 74 68 3a 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 32 30 70 78 3b 20 6d 61 72 67 69 6e 3a 32 70 78 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 30 30 25 3b 20 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 20 7d 0a 20 20 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 68 61 6c 6c 65 6e 67 65 2d 66
                                                                                                                  Data Ascii: :69px; margin: auto;} #cf-wrapper #cf-please-wait{text-align:center} .attribution {margin-top: 32px;} .bubbles { background-color: #f58220; width:20px; height: 20px; margin:2px; border-radius:100%; display:inline-block; } #cf-wrapper #challenge-f
                                                                                                                  2022-03-22 02:35:50 UTC5INData Raw: 20 20 20 20 20 20 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 68 69 67 68 6c 69 67 68 74 20 63 66 2d 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 68 69 67 68 6c 69 67 68 74 2d 69 6e 76 65 72 73 65 20 63 66 2d 66 6f 72 6d 2d 73 74 61 63 6b 65 64
                                                                                                                  Data Ascii: <div class="cf-section cf-highlight cf-captcha-container"> <div class="cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <div class="cf-highlight-inverse cf-form-stacked
                                                                                                                  2022-03-22 02:35:50 UTC6INData Raw: 30 78 56 7a 73 4a 43 48 78 39 65 56 74 48 78 42 4e 45 36 6e 34 66 5a 50 72 32 39 70 57 47 50 79 42 56 4f 55 6f 79 36 66 54 57 30 70 6e 68 50 48 74 6b 46 5a 53 66 65 6f 35 5a 34 52 32 4f 56 75 64 56 69 71 39 71 57 76 7a 4d 59 6d 69 74 70 6c 73 58 53 78 61 59 7a 57 31 4a 69 68 5a 35 50 61 72 34 58 36 63 5f 4c 4d 46 36 31 57 34 77 4d 75 69 6f 62 59 46 63 2d 52 76 30 68 4f 64 57 67 43 49 2d 4b 4c 43 6b 31 71 53 61 33 6b 67 41 30 44 43 74 42 6f 69 37 52 59 74 38 65 4d 54 52 2d 69 52 35 56 7a 30 58 38 56 54 74 35 4e 6d 7a 6d 65 4c 53 64 51 4d 74 78 4c 7a 61 75 69 63 72 76 39 66 45 69 55 49 73 4c 39 56 7a 5f 4b 30 49 61 63 45 58 4b 6d 79 2d 39 70 4f 62 4e 56 79 48 37 4e 6a 51 54 4d 5f 63 52 63 66 49 4b 4d 39 6e 79 4c 6f 53 4a 43 6f 32 48 4a 63 2d 63 2d 33 33 78
                                                                                                                  Data Ascii: 0xVzsJCHx9eVtHxBNE6n4fZPr29pWGPyBVOUoy6fTW0pnhPHtkFZSfeo5Z4R2OVudViq9qWvzMYmitplsXSxaYzW1JihZ5Par4X6c_LMF61W4wMuiobYFc-Rv0hOdWgCI-KLCk1qSa3kgA0DCtBoi7RYt8eMTR-iR5Vz0X8VTt5NmzmeLSdQMtxLzauicrv9fEiUIsL9Vz_K0IacEXKmy-9pObNVyH7NjQTM_cRcfIKM9nyLoSJCo2HJc-c-33x
                                                                                                                  2022-03-22 02:35:50 UTC8INData Raw: 35 78 67 6d 51 62 74 46 43 2f 6c 38 45 79 48 6e 73 75 38 49 41 2f 4d 76 44 52 42 36 30 65 6d 79 50 69 55 76 48 2b 7a 43 31 71 42 68 38 34 67 35 5a 7a 42 33 71 38 43 61 39 42 71 50 70 33 69 79 67 52 2f 50 4b 30 4f 33 73 51 74 65 4a 31 73 4f 41 75 71 46 58 43 55 47 36 58 37 37 55 57 2f 6e 62 68 61 4e 79 65 2f 63 6e 43 74 51 54 7a 54 64 36 2b 43 39 77 59 32 4d 5a 35 76 67 4d 36 44 2b 46 68 74 58 59 6e 30 68 43 71 68 72 50 74 5a 2b 71 39 33 51 66 59 51 54 4d 57 38 6f 74 74 48 61 79 4c 35 48 4a 42 50 79 50 6b 6a 33 4c 64 35 37 39 61 64 4a 66 2b 77 42 42 78 55 7a 30 59 42 51 72 51 79 69 51 34 63 68 6f 74 32 63 61 66 78 31 50 36 70 64 76 45 4b 4b 57 59 4e 4d 65 58 74 32 62 32 57 36 76 57 62 59 57 55 30 5a 77 2b 62 37 30 70 79 37 33 4a 62 77 61 47 79 55 76 41 4e
                                                                                                                  Data Ascii: 5xgmQbtFC/l8EyHnsu8IA/MvDRB60emyPiUvH+zC1qBh84g5ZzB3q8Ca9BqPp3iygR/PK0O3sQteJ1sOAuqFXCUG6X77UW/nbhaNye/cnCtQTzTd6+C9wY2MZ5vgM6D+FhtXYn0hCqhrPtZ+q93QfYQTMW8ottHayL5HJBPyPkj3Ld579adJf+wBBxUz0YBQrQyiQ4chot2cafx1P6pdvEKKWYNMeXt2b2W6vWbYWU0Zw+b70py73JbwaGyUvAN
                                                                                                                  2022-03-22 02:35:50 UTC9INData Raw: 65 3d 22 63 6f 6c 6f 72 3a 23 62 64 32 34 32 36 3b 22 3e 50 6c 65 61 73 65 20 74 75 72 6e 20 4a 61 76 61 53 63 72 69 70 74 20 6f 6e 20 61 6e 64 20 72 65 6c 6f 61 64 20 74 68 65 20 70 61 67 65 2e 3c 2f 68 31 3e 0a 20 20 3c 2f 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 6e 6f 2d 63 6f 6f 6b 69 65 2d 77 61 72 6e 69 6e 67 22 20 63 6c 61 73 73 3d 22 63 6f 6f 6b 69 65 2d 77 61 72 6e 69 6e 67 22 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 74 75 72 6e 5f 6f 6e 5f 63 6f 6f 6b 69 65 73 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 22 3e 0a 20 20 20 20 20 20 3c 70 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 74 75 72 6e 5f 6f 6e 5f 63 6f 6f 6b 69 65 73 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 62 64 32 34
                                                                                                                  Data Ascii: e="color:#bd2426;">Please turn JavaScript on and reload the page.</h1> </noscript> <div id="no-cookie-warning" class="cookie-warning" data-translate="turn_on_cookies" style="display:none"> <p data-translate="turn_on_cookies" style="color:#bd24
                                                                                                                  2022-03-22 02:35:50 UTC10INData Raw: 69 62 75 74 65 28 22 61 6c 74 22 2c 20 22 22 29 3b 0a 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 74 72 6b 6a 73 29 3b 0a 20 20 20 20 20 20 20 20 76 61 72 20 63 70 6f 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0a 20 20 20 20 20 20 20 20 63 70 6f 2e 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3b 0a 20 20 20 20 20 20 20 20 63 70 6f 2e 73 72 63 3d 22 2f 63 64 6e 2d 63 67 69 2f 63 68 61 6c 6c 65 6e 67 65 2d 70 6c 61 74 66 6f 72 6d 2f 68 2f 62 2f 6f 72 63 68 65 73 74 72 61 74 65 2f 6d 61 6e 61 67 65 64 2f 76 31 3f 72 61 79 3d 36 65 66 62 38 39 34 38 37 65 66 37 35 63 37 61 22 3b 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20
                                                                                                                  Data Ascii: ibute("alt", ""); document.body.appendChild(trkjs); var cpo=document.createElement('script'); cpo.type='text/javascript'; cpo.src="/cdn-cgi/challenge-platform/h/b/orchestrate/managed/v1?ray=6efb89487ef75c7a";
                                                                                                                  2022-03-22 02:35:50 UTC12INData Raw: 76 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 77 68 79 5f 63 61 70 74 63 68 61 5f 68 65 61 64 6c 69 6e 65 22 3e 57 68 79 20 64 6f 20 49 20 68 61 76 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 20 61 20 43 41 50 54 43 48 41 3f 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65
                                                                                                                  Data Ascii: v> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="why_captcha_headline">Why do I have to complete a CAPTCHA?</h2> <p data-translate
                                                                                                                  2022-03-22 02:35:50 UTC13INData Raw: 65 66 37 35 63 37 61 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 59 6f 75 72 20 49 50 3c 2f 73 70 61 6e 3e 3a 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 39 33 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61
                                                                                                                  Data Ascii: ef75c7a</strong></span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span class="cf-footer-item sm:block sm:mb-1"><span>Your IP</span>: 102.129.143.93</span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span cla
                                                                                                                  2022-03-22 02:35:50 UTC14INData Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  1192.168.2.449779104.16.155.36443C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  2022-03-22 02:36:16 UTC14OUTGET / HTTP/1.1
                                                                                                                  Host: whatismyipaddress.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2022-03-22 02:36:16 UTC14INHTTP/1.1 403 Forbidden
                                                                                                                  Date: Tue, 22 Mar 2022 02:36:16 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  CF-Chl-Bypass: 1
                                                                                                                  Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
                                                                                                                  Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                                  Set-Cookie: __cf_bm=hUhD2UdX9KkVERfiV5SDQBrwmWvqrKnJHnrZS9gL4WQ-1647916576-0-Af8AuUM/CWRh6nfYYBFJyHJJ4OBNTTTEmP62nrYSdhQuKojNAEw1zeh8LNsfpa7olf2S2L1utyAPIOltIVpa2lM=; path=/; expires=Tue, 22-Mar-22 03:06:16 GMT; domain=.whatismyipaddress.com; HttpOnly; Secure
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 6efb89ea99529064-FRA
                                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                  2022-03-22 02:36:16 UTC15INData Raw: 33 33 39 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                                                                  Data Ascii: 339c<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                                                                  2022-03-22 02:36:16 UTC15INData Raw: 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 3c 74 69 74 6c 65 3e 50 6c 65 61 73 65 20 57 61 69 74 2e 2e 2e 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 61 70 74 63 68 61 2d 62 79 70 61 73 73 22 20 69 64 3d 22 63 61 70 74 63 68 61 2d 62 79 70 61 73 73 22 20 2f 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22
                                                                                                                  Data Ascii: o-js" lang="en-US"> ...<![endif]--><head><title>Please Wait... | Cloudflare</title> <meta name="captcha-bypass" id="captcha-bypass" /><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="
                                                                                                                  2022-03-22 02:36:16 UTC16INData Raw: 7a 4e 42 7a 30 22 2c 0a 20 20 20 20 20 20 20 20 63 46 50 57 76 3a 20 22 62 22 2c 0a 20 20 20 20 20 20 20 20 63 54 54 69 6d 65 4d 73 3a 20 22 31 30 30 30 22 2c 0a 20 20 20 20 20 20 20 20 63 4c 74 3a 20 22 6e 22 2c 0a 20 20 20 20 20 20 20 20 63 52 71 3a 20 7b 0a 20 20 20 20 20 20 20 20 20 20 72 75 3a 20 22 61 48 52 30 63 48 4d 36 4c 79 39 33 61 47 46 30 61 58 4e 74 65 57 6c 77 59 57 52 6b 63 6d 56 7a 63 79 35 6a 62 32 30 76 22 2c 0a 20 20 20 20 20 20 20 20 20 20 72 61 3a 20 22 22 2c 0a 20 20 20 20 20 20 20 20 20 20 72 6d 3a 20 22 52 30 56 55 22 2c 0a 20 20 20 20 20 20 20 20 20 20 64 3a 20 22 7a 74 35 72 68 38 57 4d 56 6b 43 73 63 62 48 55 41 62 57 4c 78 31 59 42 6d 58 75 68 44 4b 4f 5a 48 6d 62 6d 32 71 4d 6d 58 65 31 35 37 70 6f 70 34 58 34 37 64 38 44 74
                                                                                                                  Data Ascii: zNBz0", cFPWv: "b", cTTimeMs: "1000", cLt: "n", cRq: { ru: "aHR0cHM6Ly93aGF0aXNteWlwYWRkcmVzcy5jb20v", ra: "", rm: "R0VU", d: "zt5rh8WMVkCscbHUAbWLx1YBmXuhDKOZHmbm2qMmXe157pop4X47d8Dt
                                                                                                                  2022-03-22 02:36:16 UTC18INData Raw: 36 39 70 78 3b 20 6d 61 72 67 69 6e 3a 20 20 61 75 74 6f 3b 7d 0a 20 20 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 70 6c 65 61 73 65 2d 77 61 69 74 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 0a 20 20 2e 61 74 74 72 69 62 75 74 69 6f 6e 20 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 32 70 78 3b 7d 0a 20 20 2e 62 75 62 62 6c 65 73 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 38 32 32 30 3b 20 77 69 64 74 68 3a 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 32 30 70 78 3b 20 6d 61 72 67 69 6e 3a 32 70 78 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 30 30 25 3b 20 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 20 7d 0a 20 20 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 68 61 6c 6c 65 6e 67 65 2d 66 6f
                                                                                                                  Data Ascii: 69px; margin: auto;} #cf-wrapper #cf-please-wait{text-align:center} .attribution {margin-top: 32px;} .bubbles { background-color: #f58220; width:20px; height: 20px; margin:2px; border-radius:100%; display:inline-block; } #cf-wrapper #challenge-fo
                                                                                                                  2022-03-22 02:36:16 UTC19INData Raw: 20 20 20 20 20 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 68 69 67 68 6c 69 67 68 74 20 63 66 2d 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 68 69 67 68 6c 69 67 68 74 2d 69 6e 76 65 72 73 65 20 63 66 2d 66 6f 72 6d 2d 73 74 61 63 6b 65 64 22
                                                                                                                  Data Ascii: <div class="cf-section cf-highlight cf-captcha-container"> <div class="cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <div class="cf-highlight-inverse cf-form-stacked"
                                                                                                                  2022-03-22 02:36:16 UTC20INData Raw: 4e 72 65 72 5a 56 58 66 36 55 57 6a 59 4b 72 49 5f 32 2d 34 46 38 68 38 49 4d 41 34 51 37 7a 6f 4c 6d 6a 63 33 58 47 56 71 58 49 63 70 52 5a 75 34 51 62 35 42 6f 32 6c 39 6e 64 71 37 5a 61 6f 58 51 61 36 67 51 4b 79 41 71 49 57 74 6d 4d 67 36 6f 32 37 56 33 47 58 74 4e 6d 6d 49 49 44 4f 6c 4b 71 41 59 32 43 73 43 55 57 7a 6d 43 7a 54 6a 6f 44 74 45 56 38 53 78 77 42 76 38 4e 54 58 77 32 50 67 46 75 70 39 55 4a 44 6f 59 33 54 4b 75 6e 6a 75 35 71 57 6f 73 32 62 71 73 4a 4b 58 57 6f 54 78 75 48 4a 55 35 35 75 46 62 57 61 48 72 57 39 39 74 52 69 77 4c 79 30 44 52 54 4b 32 74 7a 5a 2d 43 63 56 74 51 53 72 6f 6c 64 55 38 69 56 74 37 37 46 68 7a 36 6d 72 78 52 66 49 67 36 65 37 30 54 50 66 42 64 4d 39 63 61 37 2d 77 49 72 2d 74 41 6f 37 41 37 73 4b 5a 43 78 64
                                                                                                                  Data Ascii: NrerZVXf6UWjYKrI_2-4F8h8IMA4Q7zoLmjc3XGVqXIcpRZu4Qb5Bo2l9ndq7ZaoXQa6gQKyAqIWtmMg6o27V3GXtNmmIIDOlKqAY2CsCUWzmCzTjoDtEV8SxwBv8NTXw2PgFup9UJDoY3TKunju5qWos2bqsJKXWoTxuHJU55uFbWaHrW99tRiwLy0DRTK2tzZ-CcVtQSroldU8iVt77Fhz6mrxRfIg6e70TPfBdM9ca7-wIr-tAo7A7sKZCxd
                                                                                                                  2022-03-22 02:36:16 UTC22INData Raw: 4c 30 79 53 7a 6f 68 4e 6b 77 65 38 41 4c 77 36 4a 33 66 46 4f 4a 53 50 2b 36 6f 53 34 48 76 6d 34 6e 33 37 57 38 54 33 64 54 7a 2b 4a 52 51 6a 71 52 46 64 78 67 61 66 61 75 4d 48 33 43 48 49 6f 37 75 48 47 49 59 78 57 73 51 34 38 55 72 79 70 2b 75 76 35 68 41 43 56 55 70 66 6b 6d 35 59 42 50 66 6b 4a 70 48 71 74 76 48 48 78 36 6e 43 45 45 6e 49 7a 49 77 4b 4e 58 6e 68 2f 6d 53 45 68 79 4d 68 41 45 50 47 69 66 66 45 6d 4d 2f 6c 37 71 61 69 73 39 73 72 72 2b 4d 41 74 78 63 7a 48 45 50 61 41 4e 71 37 45 52 79 4c 76 38 4a 4a 33 37 59 51 4f 38 46 75 75 61 46 30 42 50 58 41 78 4b 67 62 77 35 65 58 31 65 75 6c 76 42 7a 4a 6e 66 36 74 6f 53 2b 68 77 63 77 6c 2f 33 65 42 49 78 6f 4e 55 73 33 68 4d 73 63 43 55 54 31 62 61 50 51 6d 59 30 6e 66 68 73 58 50 4a 56 66
                                                                                                                  Data Ascii: L0ySzohNkwe8ALw6J3fFOJSP+6oS4Hvm4n37W8T3dTz+JRQjqRFdxgafauMH3CHIo7uHGIYxWsQ48Uryp+uv5hACVUpfkm5YBPfkJpHqtvHHx6nCEEnIzIwKNXnh/mSEhyMhAEPGiffEmM/l7qais9srr+MAtxczHEPaANq7ERyLv8JJ37YQO8FuuaF0BPXAxKgbw5eX1eulvBzJnf6toS+hwcwl/3eBIxoNUs3hMscCUT1baPQmY0nfhsXPJVf
                                                                                                                  2022-03-22 02:36:16 UTC23INData Raw: 65 61 73 65 20 74 75 72 6e 20 4a 61 76 61 53 63 72 69 70 74 20 6f 6e 20 61 6e 64 20 72 65 6c 6f 61 64 20 74 68 65 20 70 61 67 65 2e 3c 2f 68 31 3e 0a 20 20 3c 2f 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 6e 6f 2d 63 6f 6f 6b 69 65 2d 77 61 72 6e 69 6e 67 22 20 63 6c 61 73 73 3d 22 63 6f 6f 6b 69 65 2d 77 61 72 6e 69 6e 67 22 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 74 75 72 6e 5f 6f 6e 5f 63 6f 6f 6b 69 65 73 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 22 3e 0a 20 20 20 20 20 20 3c 70 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 74 75 72 6e 5f 6f 6e 5f 63 6f 6f 6b 69 65 73 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 62 64 32 34 32 36 3b 22 3e 50 6c 65 61 73 65 20 65 6e 61 62 6c 65 20 43 6f
                                                                                                                  Data Ascii: ease turn JavaScript on and reload the page.</h1> </noscript> <div id="no-cookie-warning" class="cookie-warning" data-translate="turn_on_cookies" style="display:none"> <p data-translate="turn_on_cookies" style="color:#bd2426;">Please enable Co
                                                                                                                  2022-03-22 02:36:16 UTC24INData Raw: 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 74 72 6b 6a 73 29 3b 0a 20 20 20 20 20 20 20 20 76 61 72 20 63 70 6f 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0a 20 20 20 20 20 20 20 20 63 70 6f 2e 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3b 0a 20 20 20 20 20 20 20 20 63 70 6f 2e 73 72 63 3d 22 2f 63 64 6e 2d 63 67 69 2f 63 68 61 6c 6c 65 6e 67 65 2d 70 6c 61 74 66 6f 72 6d 2f 68 2f 62 2f 6f 72 63 68 65 73 74 72 61 74 65 2f 6d 61 6e 61 67 65 64 2f 76 31 3f 72 61 79 3d 36 65 66 62 38 39 65 61 39 39 35 32 39 30 36 34 22 3b 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74
                                                                                                                  Data Ascii: document.body.appendChild(trkjs); var cpo=document.createElement('script'); cpo.type='text/javascript'; cpo.src="/cdn-cgi/challenge-platform/h/b/orchestrate/managed/v1?ray=6efb89ea99529064"; window._cf_chl_opt
                                                                                                                  2022-03-22 02:36:16 UTC26INData Raw: 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 77 68 79 5f 63 61 70 74 63 68 61 5f 68 65 61 64 6c 69 6e 65 22 3e 57 68 79 20 64 6f 20 49 20 68 61 76 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 20 61 20 43 41 50 54 43 48 41 3f 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 77 68 79 5f 63 61 70 74 63 68 61 5f 64 65 74 61 69 6c 22
                                                                                                                  Data Ascii: "cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="why_captcha_headline">Why do I have to complete a CAPTCHA?</h2> <p data-translate="why_captcha_detail"
                                                                                                                  2022-03-22 02:36:16 UTC27INData Raw: 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 59 6f 75 72 20 49 50 3c 2f 73 70 61 6e 3e 3a 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 39 33 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d
                                                                                                                  Data Ascii: n> <span class="cf-footer-separator sm:hidden">&bull;</span> <span class="cf-footer-item sm:block sm:mb-1"><span>Your IP</span>: 102.129.143.93</span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span class="cf-footer-item sm
                                                                                                                  2022-03-22 02:36:16 UTC28INData Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                  Mar 22, 2022 03:35:52.781536102 CET58749771108.177.127.109192.168.2.4220 smtp.gmail.com ESMTP e5-20020a170906374500b006d5825520a7sm7639105ejc.71 - gsmtp
                                                                                                                  Mar 22, 2022 03:35:52.781826973 CET49771587192.168.2.4108.177.127.109EHLO 980108
                                                                                                                  Mar 22, 2022 03:35:52.813298941 CET58749771108.177.127.109192.168.2.4250-smtp.gmail.com at your service, [102.129.143.93]
                                                                                                                  250-SIZE 35882577
                                                                                                                  250-8BITMIME
                                                                                                                  250-STARTTLS
                                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                                  250-PIPELINING
                                                                                                                  250-CHUNKING
                                                                                                                  250 SMTPUTF8
                                                                                                                  Mar 22, 2022 03:35:52.813864946 CET49771587192.168.2.4108.177.127.109STARTTLS
                                                                                                                  Mar 22, 2022 03:35:52.840512037 CET58749771108.177.127.109192.168.2.4220 2.0.0 Ready to start TLS
                                                                                                                  Mar 22, 2022 03:36:18.859519005 CET58749780108.177.127.109192.168.2.4220 smtp.gmail.com ESMTP f17-20020a056402355100b0041925e80963sm3788897edd.41 - gsmtp
                                                                                                                  Mar 22, 2022 03:36:18.859970093 CET49780587192.168.2.4108.177.127.109EHLO 980108
                                                                                                                  Mar 22, 2022 03:36:18.890105009 CET58749780108.177.127.109192.168.2.4250-smtp.gmail.com at your service, [102.129.143.93]
                                                                                                                  250-SIZE 35882577
                                                                                                                  250-8BITMIME
                                                                                                                  250-STARTTLS
                                                                                                                  250-ENHANCEDSTATUSCODES
                                                                                                                  250-PIPELINING
                                                                                                                  250-CHUNKING
                                                                                                                  250 SMTPUTF8
                                                                                                                  Mar 22, 2022 03:36:18.890435934 CET49780587192.168.2.4108.177.127.109STARTTLS
                                                                                                                  Mar 22, 2022 03:36:18.917603970 CET58749780108.177.127.109192.168.2.4220 2.0.0 Ready to start TLS

                                                                                                                  Click to jump to process

                                                                                                                  Target ID:0
                                                                                                                  Start time:03:35:23
                                                                                                                  Start date:22/03/2022
                                                                                                                  Path:C:\Users\user\Desktop\steg.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\steg.exe"
                                                                                                                  Imagebase:0xf80000
                                                                                                                  File size:1167872 bytes
                                                                                                                  MD5 hash:30747BB37997B54D37BAE65AE590B7E8
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: 00000000.00000002.282081034.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: 00000000.00000000.234986567.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000003.272692370.00000000017E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Reputation:low

                                                                                                                  Target ID:4
                                                                                                                  Start time:03:35:42
                                                                                                                  Start date:22/03/2022
                                                                                                                  Path:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\Windows Update.exe"
                                                                                                                  Imagebase:0x10000
                                                                                                                  File size:1167872 bytes
                                                                                                                  MD5 hash:30747BB37997B54D37BAE65AE590B7E8
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: 00000004.00000000.276220199.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000003.292924659.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: 00000004.00000000.278862064.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: 00000004.00000000.276722207.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000002.302645603.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 00000004.00000001.280458737.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: 00000004.00000001.280458737.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: 00000004.00000000.280199834.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: 00000004.00000002.301202133.0000000000012000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: SecurityXploded_Producer_String, Description: Detects hacktools by SecurityXploded, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Florian Roth
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 100%, Avira
                                                                                                                  • Detection: 100%, Avira
                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                  • Detection: 88%, ReversingLabs
                                                                                                                  Reputation:low

                                                                                                                  Target ID:11
                                                                                                                  Start time:03:35:51
                                                                                                                  Start date:22/03/2022
                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:dw20.exe -x -s 2708
                                                                                                                  Imagebase:0x10000000
                                                                                                                  File size:33936 bytes
                                                                                                                  MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  Target ID:12
                                                                                                                  Start time:03:36:02
                                                                                                                  Start date:22/03/2022
                                                                                                                  Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
                                                                                                                  Imagebase:0x2c0000
                                                                                                                  File size:1167872 bytes
                                                                                                                  MD5 hash:30747BB37997B54D37BAE65AE590B7E8
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: 0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 0000000C.00000003.324470514.0000000000915000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000003.324470514.0000000000915000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: 0000000C.00000000.319176501.00000000002C2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                  • Rule: SecurityXploded_Producer_String, Description: Detects hacktools by SecurityXploded, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Florian Roth
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 100%, Avira
                                                                                                                  • Detection: 100%, Avira
                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                  • Detection: 88%, ReversingLabs
                                                                                                                  Reputation:low

                                                                                                                  Target ID:14
                                                                                                                  Start time:03:36:07
                                                                                                                  Start date:22/03/2022
                                                                                                                  Path:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\Windows Update.exe"
                                                                                                                  Imagebase:0xac0000
                                                                                                                  File size:1167872 bytes
                                                                                                                  MD5 hash:30747BB37997B54D37BAE65AE590B7E8
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000002.359909884.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: 0000000E.00000000.330022226.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: 0000000E.00000000.329408523.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: 0000000E.00000002.356895445.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 0000000E.00000003.351328752.0000000007544000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: 0000000E.00000000.331051101.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_EmailPasswordDump_Tool, Description: Yara detected EmailPasswordDump Tool by SecurityXploded, Source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BrowserPasswordDump_Tool, Description: Yara detected BrowserPasswordDump Tool by SecurityXploded, Source: 0000000E.00000000.330464397.0000000000AC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  Reputation:low

                                                                                                                  Target ID:15
                                                                                                                  Start time:03:36:17
                                                                                                                  Start date:22/03/2022
                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:dw20.exe -x -s 2676
                                                                                                                  Imagebase:0x10000000
                                                                                                                  File size:33936 bytes
                                                                                                                  MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  No disassembly